diff options
| -rw-r--r-- | krb5-master-keyring-kdcsync.patch | 108 | ||||
| -rw-r--r-- | krb5.spec | 6 |
2 files changed, 114 insertions, 0 deletions
diff --git a/krb5-master-keyring-kdcsync.patch b/krb5-master-keyring-kdcsync.patch new file mode 100644 index 0000000..d0c9f7c --- /dev/null +++ b/krb5-master-keyring-kdcsync.patch @@ -0,0 +1,108 @@ +commit 2ac550e648ff88f84cc2da3c573202845f14e655 +Author: Greg Hudson <ghudson@mit.edu> +Date: Thu Jan 16 17:48:54 2014 -0500 + + Get time offsets for all keyring ccaches + + Move the time offset lookup from krb5_krcc_resolve to make_cache, so + that we fetch time offsets for caches created by + krb5_krcc_ptcursor_next. + + ticket: 7820 + target_version: 1.12.2 + tags: pullup + +diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c +index a0c8035..27bad9d 100644 +--- a/src/lib/krb5/ccache/cc_keyring.c ++++ b/src/lib/krb5/ccache/cc_keyring.c +@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id) + + /* Create a cache handle for a cache ID. */ + static krb5_error_code +-make_cache(key_serial_t collection_id, key_serial_t cache_id, +- const char *anchor_name, const char *collection_name, +- const char *subsidiary_name, krb5_ccache *cache_out) ++make_cache(krb5_context context, key_serial_t collection_id, ++ key_serial_t cache_id, const char *anchor_name, ++ const char *collection_name, const char *subsidiary_name, ++ krb5_ccache *cache_out) + { + krb5_error_code ret; ++ krb5_os_context os_ctx = &context->os_context; + krb5_ccache ccache = NULL; + krb5_krcc_data *d; + key_serial_t pkey = 0; +@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id, + ccache->data = d; + ccache->magic = KV5M_CCACHE; + *cache_out = ccache; ++ ++ /* Lookup time offsets if necessary. */ ++ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) && ++ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) { ++ if (krb5_krcc_get_time_offsets(context, ccache, ++ &os_ctx->time_offset, ++ &os_ctx->usec_offset) == 0) { ++ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME; ++ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID; ++ } ++ } ++ + return 0; + } + +@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id, + static krb5_error_code KRB5_CALLCONV + krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual) + { +- krb5_os_context os_ctx = &context->os_context; + krb5_error_code ret; + key_serial_t collection_id, cache_id; + char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL; +@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual) + if (cache_id < 0) + cache_id = 0; + +- ret = make_cache(collection_id, cache_id, anchor_name, collection_name, +- subsidiary_name, id); ++ ret = make_cache(context, collection_id, cache_id, anchor_name, ++ collection_name, subsidiary_name, id); + if (ret) + goto cleanup; + +- /* Lookup time offsets if necessary. */ +- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) && +- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) { +- if (krb5_krcc_get_time_offsets(context, *id, +- &os_ctx->time_offset, +- &os_ctx->usec_offset) == 0) { +- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME; +- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID; +- } +- } +- + cleanup: + free(anchor_name); + free(collection_name); +@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, + cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING, + first_name, 0); + if (cache_id != -1) { +- return make_cache(data->collection_id, cache_id, data->anchor_name, +- data->collection_name, first_name, cache_out); ++ return make_cache(context, data->collection_id, cache_id, ++ data->anchor_name, data->collection_name, ++ first_name, cache_out); + } + } + +@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, + + /* We found a valid key */ + data->next_key++; +- ret = make_cache(data->collection_id, key, data->anchor_name, ++ ret = make_cache(context, data->collection_id, key, data->anchor_name, + data->collection_name, subsidiary_name, cache_out); + free(description); + return ret; @@ -90,6 +90,7 @@ Patch86: krb5-1.9-debuginfo.patch Patch105: krb5-kvno-230379.patch Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch +Patch135: krb5-master-keyring-kdcsync.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -315,6 +316,8 @@ ln -s NOTICE LICENSE %patch134 -p1 -b .kpasswdtest +%patch135 -p1 -b .keyring-kdcsync + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt @@ -971,6 +974,9 @@ exit 0 - drop patch for RT#7807, included now - drop patch for RT#7045, included now - drop patches for RT#7813 and RT#7815, included now + - add patch to always retrieve the KDC time offsets from keyring caches, + so that we don't mistakenly interpret creds as expired before their + time when our clock is ahead of the KDC's (RT#7820, #1030607) * Mon Jan 13 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-11 - update the PIC patch for iaesx86.s to not use ELF relocations to the version |