From 7055e97009a7e6764a67a7dd9ca72d9f88bea3d2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 08:06:06 +0000 Subject: import krb5-1.15.1-19.el7 --- diff --git a/SOURCES/Add-KDC-policy-pluggable-interface.patch b/SOURCES/Add-KDC-policy-pluggable-interface.patch index 19cb799..590ff85 100644 --- a/SOURCES/Add-KDC-policy-pluggable-interface.patch +++ b/SOURCES/Add-KDC-policy-pluggable-interface.patch @@ -19,7 +19,6 @@ Also authored by Matt Rogers . ticket: 8606 (new) (cherry picked from commit d0969f6a8170344031ef58fd2a161190f1edfb96) [rharwood@redhat.com: mention but do not use kadm_auth] -Signed-off-by: Robbie Harwood --- doc/plugindev/index.rst | 1 + doc/plugindev/kdcpolicy.rst | 24 +++ diff --git a/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch b/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch index 5d43ea7..a1a7fef 100644 --- a/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch +++ b/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch @@ -8,7 +8,6 @@ id-pkinit-san match against canonicalized client principal] ticket: 8528 (cherry picked from commit d520fd3f032121b61b22681838af96ee505fe44d) -Signed-off-by: Robbie Harwood --- src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/SOURCES/Add-certauth-pluggable-interface.patch b/SOURCES/Add-certauth-pluggable-interface.patch index 79bd718..b7719a8 100644 --- a/SOURCES/Add-certauth-pluggable-interface.patch +++ b/SOURCES/Add-certauth-pluggable-interface.patch @@ -22,7 +22,6 @@ doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst. ticket: 8561 (new) (cherry picked from commit b619ce84470519bea65470be3263cd85fba94f57) -Signed-off-by: Robbie Harwood --- doc/admin/conf_files/krb5_conf.rst | 21 ++ doc/plugindev/certauth.rst | 27 ++ diff --git a/SOURCES/Add-k5test-expected_msg-expected_trace.patch b/SOURCES/Add-k5test-expected_msg-expected_trace.patch index c07c519..8a0dd37 100644 --- a/SOURCES/Add-k5test-expected_msg-expected_trace.patch +++ b/SOURCES/Add-k5test-expected_msg-expected_trace.patch @@ -11,7 +11,6 @@ substrings in the trace output. (cherry picked from commit 8bb5fce69a4aa6c3082fa7def66a93974e10e17a) [rharwood@redhat.com: back out .gitignore] -Signed-off-by: Robbie Harwood --- src/config/post.in | 2 +- src/util/k5test.py | 37 ++++++++++++++++++++++++++++++++++--- diff --git a/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch b/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch index cc0ddb3..4659281 100644 --- a/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch +++ b/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch @@ -14,7 +14,6 @@ enctype of the session key. ticket: 8569 (new) (cherry picked from commit 7feb7da54c0321b5a3eeb6c3797846a3cf7eda28) [rharwood@redhat.com: stub out GSS_KRB5_GET_CRED_IMPERSONATOR] -Signed-off-by: Robbie Harwood --- src/include/k5-int.h | 1 + src/lib/crypto/krb/crypto_int.h | 1 + diff --git a/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch b/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch index 9c1dcf9..d9aecf6 100644 --- a/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch +++ b/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch @@ -7,8 +7,6 @@ Based on commit 5a1d0388ba2e4ec510ed715ce5fbc7f748941425 but missing everything but the make-certs change since infrastructure cannot patch binaries. Plan to run make-certs during build, but this will only work with openssl < 1.1. - -Signed-off-by: Robbie Harwood --- src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 +++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/SOURCES/Add-test-cert-with-no-extensions.patch b/SOURCES/Add-test-cert-with-no-extensions.patch index 90201f1..da6f8cb 100644 --- a/SOURCES/Add-test-cert-with-no-extensions.patch +++ b/SOURCES/Add-test-cert-with-no-extensions.patch @@ -9,8 +9,6 @@ with no certificate extensions. Re-run make-certs.sh. ticket: 8562 (cherry-picked from commit 0d23835660ab131d244d395e4568969b5c0dc678) [rharwood@redhat.com: only backport the make-certs.sh changes] - -Signed-off-by: Robbie Harwood --- src/tests/dejagnu/pkinit-certs/make-certs.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/SOURCES/Add-the-client_name-kdcpreauth-callback.patch b/SOURCES/Add-the-client_name-kdcpreauth-callback.patch index 25f4dea..9d53313 100644 --- a/SOURCES/Add-the-client_name-kdcpreauth-callback.patch +++ b/SOURCES/Add-the-client_name-kdcpreauth-callback.patch @@ -7,7 +7,6 @@ Add a kdcpreauth callback to returns the canonicalized client principal. ticket: 8570 (new) (cherry picked from commit a84f39ec30f3deeda7836da6e8b3d8dcf7a045b1) -Signed-off-by: Robbie Harwood --- src/include/krb5/kdcpreauth_plugin.h | 6 ++++++ src/kdc/kdc_preauth.c | 9 ++++++++- diff --git a/SOURCES/Add-timestamp-helper-functions.patch b/SOURCES/Add-timestamp-helper-functions.patch index 1bd6a8e..5993793 100644 --- a/SOURCES/Add-timestamp-helper-functions.patch +++ b/SOURCES/Add-timestamp-helper-functions.patch @@ -10,7 +10,6 @@ indicating how third-party code should use it safely. ticket: 8352 (cherry picked from commit 58e9155060cd93b1a7557e37fbc9b077b76465c2) -Signed-off-by: Robbie Harwood --- src/include/k5-int.h | 31 +++++++++++++++++++++++++++++++ src/include/krb5/krb5.hin | 9 +++++++++ diff --git a/SOURCES/Add-timestamp-tests.patch b/SOURCES/Add-timestamp-tests.patch index 4fe37aa..74d0fb9 100644 --- a/SOURCES/Add-timestamp-tests.patch +++ b/SOURCES/Add-timestamp-tests.patch @@ -14,7 +14,6 @@ timestamps. ticket: 8352 (cherry picked from commit 8ca62e54e89e2fbd6a089e8ab20b4e374a486003) [rharwood@redhat.com: prune gitignore] -Signed-off-by: Robbie Harwood --- src/Makefile.in | 1 + src/config/pre.in | 2 + diff --git a/SOURCES/Add-y2038-documentation.patch b/SOURCES/Add-y2038-documentation.patch index 01642e1..fedd583 100644 --- a/SOURCES/Add-y2038-documentation.patch +++ b/SOURCES/Add-y2038-documentation.patch @@ -5,7 +5,6 @@ Subject: [PATCH] Add y2038 documentation ticket: 8352 (cherry picked from commit 85d64c43dbf7a7faa56a1999494cdfa49e8bd2c9) -Signed-off-by: Robbie Harwood --- doc/appdev/index.rst | 1 + doc/appdev/y2038.rst | 28 ++++++++++++++++++++++++++++ diff --git a/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch b/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch index 8eb9c2e..41206f7 100644 --- a/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch +++ b/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch @@ -14,7 +14,6 @@ target_version: 1.15-next tags: pullup (cherry picked from commit b0a072e6431261734e7350996a363801f180e8ea) -Signed-off-by: Robbie Harwood --- src/lib/gssapi/krb5/context_time.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch index 69f99cb..b7620fc 100644 --- a/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch +++ b/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch @@ -6,7 +6,6 @@ Subject: [PATCH] Convert some pkiDebug messages to TRACE macros ticket: 8568 (new) (cherry picked from commit 9852862a83952a94300adfafa3e333f43396ec33) (cherry picked from commit 686fa6476eb759532d566794fa8d430774d44cf7) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 46 ++++++--------- src/plugins/preauth/pkinit/pkinit_identity.c | 3 - diff --git a/SOURCES/Correct-error-handling-bug-in-prior-commit.patch b/SOURCES/Correct-error-handling-bug-in-prior-commit.patch index 83da7f4..5039df1 100644 --- a/SOURCES/Correct-error-handling-bug-in-prior-commit.patch +++ b/SOURCES/Correct-error-handling-bug-in-prior-commit.patch @@ -9,7 +9,6 @@ possibly-modified alias. ticket: 8561 (cherry picked from commit 7fdaef7c3280c86b5df25ae061fb04cc56d8620c) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SOURCES/Deindent-crypto_retrieve_X509_sans.patch b/SOURCES/Deindent-crypto_retrieve_X509_sans.patch index 3864cd3..330820d 100644 --- a/SOURCES/Deindent-crypto_retrieve_X509_sans.patch +++ b/SOURCES/Deindent-crypto_retrieve_X509_sans.patch @@ -9,7 +9,6 @@ return parameters are always initialized. (cherry picked from commit c6b772523db9d7791ee1c56eb512c4626556a4e7) (cherry picked from commit 23086ac768a32db1e40a9b63684dbcfd76aba033) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 224 +++++++++++---------- 1 file changed, 114 insertions(+), 110 deletions(-) diff --git a/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch b/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch index 3144401..552ef19 100644 --- a/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch +++ b/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch @@ -18,7 +18,6 @@ target_version: 1.16 tags: pullup (cherry picked from commit 225aab3540c13c6289b22022d5e110f6fc26151d) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/pkinit/pkinit_srv.c | 19 +++++++++++++------ src/plugins/preauth/pkinit/pkinit_trace.h | 3 +++ diff --git a/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch b/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch index 533818c..9b84bbb 100644 --- a/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch +++ b/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch @@ -18,7 +18,6 @@ initialize (my mistake when revising the commit, noted by rharwood). ticket: 8606 (cherry picked from commit 09acbd91efc6df54e1572285ffc94c6acb3a9113) -Signed-off-by: Robbie Harwood --- src/kdc/policy.c | 2 +- src/plugins/kdcpolicy/test/main.c | 10 +++++----- diff --git a/SOURCES/Fix-certauth-built-in-module-returns.patch b/SOURCES/Fix-certauth-built-in-module-returns.patch index f512f49..74498aa 100644 --- a/SOURCES/Fix-certauth-built-in-module-returns.patch +++ b/SOURCES/Fix-certauth-built-in-module-returns.patch @@ -19,7 +19,6 @@ there are no SANs at all. ticket: 8561 (cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------ src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++--- diff --git a/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch b/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch index fb84846..236d17a 100644 --- a/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch +++ b/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch @@ -8,7 +8,6 @@ implicitly relying on a local variable. Use it in get_in_tkt.c:verify_as_reply(). (cherry picked from commit 28a07a6461bb443b7fa75cc5cb859ad0db4cbb5a) -Signed-off-by: Robbie Harwood --- src/lib/krb5/krb/gc_via_tkt.c | 2 +- src/lib/krb5/krb/get_in_tkt.c | 4 ++-- diff --git a/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch b/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch index f02f9c5..43a0d6d 100644 --- a/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch +++ b/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch @@ -10,7 +10,6 @@ required by t_pkinit.py. (cherry picked from commit b0473da67d72e43b9f03b703869069348e872efc) [rharwood@redhat.com: remove newer sections in make-certs.sh] -Signed-off-by: Robbie Harwood --- src/tests/dejagnu/pkinit-certs/make-certs.sh | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/SOURCES/Fix-more-time-manipulations-for-y2038.patch b/SOURCES/Fix-more-time-manipulations-for-y2038.patch index 44252dc..91af0c8 100644 --- a/SOURCES/Fix-more-time-manipulations-for-y2038.patch +++ b/SOURCES/Fix-more-time-manipulations-for-y2038.patch @@ -9,7 +9,6 @@ krb5int_trace(). ticket: 8352 (cherry picked from commit a60db180211a383bd382afe729e9309acb8dcf53) -Signed-off-by: Robbie Harwood --- src/kadmin/server/misc.c | 2 +- src/kdc/dispatch.c | 2 +- diff --git a/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch b/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch index aaf15b6..d4d45c6 100644 --- a/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch +++ b/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch @@ -14,7 +14,6 @@ parse UPN values as enterprise principals. ticket: 8528 (new) (cherry picked from commit 46ff765e1fb8cbec2bb602b43311269e695dbedc) -Signed-off-by: Robbie Harwood --- src/include/krb5/kdcpreauth_plugin.h | 13 ++++++++++ src/kdc/kdc_preauth.c | 28 ++++++++++++++++++++-- diff --git a/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch b/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch new file mode 100644 index 0000000..53ba9ba --- /dev/null +++ b/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch @@ -0,0 +1,203 @@ +From 31d5c854198ed91fc2bd0b9fb87ed0dcd5a40eb6 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 24 Aug 2017 16:00:33 -0400 +Subject: [PATCH] Limit ticket lifetime to 2^31-1 seconds + +Although timestamps above 2^31-1 are now valid, intervals exceeding +2^31-1 seconds may be treated incorrectly by comparison operations. + +The initially computed interval in kdc_get_ticket_endtime() could be +negative if the requested end time is far in the future, causing the +function to yield an incorrect result. (With the new larger value of +kdc_infinity, this could specifically happen if a KDC-REQ contains a +zero till field.) Cap the interval at the maximum valid value. +Reported by Weijun Wang. + +Avoid delta comparisons in favor of timestamp comparions in +krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew +checks. + +Also use a y2038-safe timestamp comparison in set_request_times() when +comparing the requested renewable end time to the requested ticket end +time. + +ticket: 8352 +(cherry picked from commit 54e58755368b58ba5894a14c1d02626da42d8003) +--- + src/clients/ksu/ccache.c | 2 +- + src/include/k5-int.h | 7 +++++++ + src/kdc/kdc_util.c | 7 ++++++- + src/kdc/replay.c | 2 +- + src/kdc/t_replay.c | 2 +- + src/lib/krb5/krb/gc_via_tkt.c | 4 ++-- + src/lib/krb5/krb/get_in_tkt.c | 6 +++--- + src/lib/krb5/krb/int-proto.h | 3 --- + src/lib/krb5/krb/valid_times.c | 4 ++-- + src/lib/krb5/os/timeofday.c | 2 +- + 10 files changed, 24 insertions(+), 15 deletions(-) + +diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c +index 236313b7b..2a99521d4 100644 +--- a/src/clients/ksu/ccache.c ++++ b/src/clients/ksu/ccache.c +@@ -282,7 +282,7 @@ krb5_error_code krb5_check_exp(context, tkt_time) + + } + +- if (ts_delta(currenttime, tkt_time.endtime) > context->clockskew) { ++ if (ts_after(currenttime, ts_incr(tkt_time.endtime, context->clockskew))) { + retval = KRB5KRB_AP_ERR_TKT_EXPIRED ; + return retval; + } +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 39ffb9568..e31004a7c 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -2386,6 +2386,13 @@ ts_after(krb5_timestamp a, krb5_timestamp b) + return (uint32_t)a > (uint32_t)b; + } + ++/* Return true if a and b are within d seconds. */ ++static inline krb5_boolean ++ts_within(krb5_timestamp a, krb5_timestamp b, krb5_deltat d) ++{ ++ return !ts_after(a, ts_incr(b, d)) && !ts_after(b, ts_incr(a, d)); ++} ++ + krb5_error_code KRB5_CALLCONV + krb5_get_credentials_for_user(krb5_context context, krb5_flags options, + krb5_ccache ccache, +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 5455e2a67..770163b94 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1759,14 +1759,19 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, + krb5_db_entry *server, + krb5_timestamp *out_endtime) + { +- krb5_timestamp until, life; ++ krb5_timestamp until; ++ krb5_deltat life; + + if (till == 0) + till = kdc_infinity; + + until = ts_min(till, endtime); + ++ /* Determine the requested lifetime, capped at the maximum valid time ++ * interval. */ + life = ts_delta(until, starttime); ++ if (ts_after(until, starttime) && life < 0) ++ life = INT32_MAX; + + if (client != NULL && client->max_life != 0) + life = min(life, client->max_life); +diff --git a/src/kdc/replay.c b/src/kdc/replay.c +index fab39cf88..caca783bf 100644 +--- a/src/kdc/replay.c ++++ b/src/kdc/replay.c +@@ -61,7 +61,7 @@ static size_t total_size = 0; + static krb5_ui_4 seed; + + #define STALE_TIME (2*60) /* two minutes */ +-#define STALE(ptr, now) (labs(ts_delta((ptr)->timein, now)) >= STALE_TIME) ++#define STALE(ptr, now) (ts_after(now, ts_incr((ptr)->timein, STALE_TIME))) + + /* Return x rotated to the left by r bits. */ + static inline krb5_ui_4 +diff --git a/src/kdc/t_replay.c b/src/kdc/t_replay.c +index 1442e0e8c..bb7e2faff 100644 +--- a/src/kdc/t_replay.c ++++ b/src/kdc/t_replay.c +@@ -903,7 +903,7 @@ test_kdc_insert_lookaside_cache_expire(void **state) + assert_non_null(e); + e->num_hits = 5; + +- time_return(STALE_TIME, 0); ++ time_return(STALE_TIME + 1, 0); + kdc_insert_lookaside(context, &req2, NULL); + + assert_null(K5_LIST_FIRST(&hash_table[req_hash1])); +diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c +index cf1ea361f..5b9bb9573 100644 +--- a/src/lib/krb5/krb/gc_via_tkt.c ++++ b/src/lib/krb5/krb/gc_via_tkt.c +@@ -306,8 +306,8 @@ krb5int_process_tgs_reply(krb5_context context, + goto cleanup; + + if (!in_cred->times.starttime && +- !in_clock_skew(context, dec_rep->enc_part2->times.starttime, +- timestamp)) { ++ !ts_within(dec_rep->enc_part2->times.starttime, timestamp, ++ context->clockskew)) { + retval = KRB5_KDCREP_SKEW; + goto cleanup; + } +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 7178bd87b..ed15550f0 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -269,8 +269,8 @@ verify_as_reply(krb5_context context, + return retval; + } else { + if ((request->from == 0) && +- !in_clock_skew(context, as_reply->enc_part2->times.starttime, +- time_now)) ++ !ts_within(as_reply->enc_part2->times.starttime, time_now, ++ context->clockskew)) + return (KRB5_KDCREP_SKEW); + } + return 0; +@@ -781,7 +781,7 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx) + if (ctx->renew_life > 0) { + /* Don't ask for a smaller renewable time than the lifetime. */ + ctx->request->rtime = ts_incr(from, ctx->renew_life); +- if (ctx->request->rtime < ctx->request->till) ++ if (ts_after(ctx->request->till, ctx->request->rtime)) + ctx->request->rtime = ctx->request->till; + ctx->request->kdc_options &= ~KDC_OPT_RENEWABLE_OK; + } else { +diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h +index 48bd9f8f7..9c746d05b 100644 +--- a/src/lib/krb5/krb/int-proto.h ++++ b/src/lib/krb5/krb/int-proto.h +@@ -83,9 +83,6 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields); + +-#define in_clock_skew(context, date, now) \ +- (labs(ts_delta(date, now)) < (context)->clockskew) +- + #define IS_TGS_PRINC(p) ((p)->length == 2 && \ + data_eq_string((p)->data[0], KRB5_TGS_NAME)) + +diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c +index 9e509b2dd..294761a88 100644 +--- a/src/lib/krb5/krb/valid_times.c ++++ b/src/lib/krb5/krb/valid_times.c +@@ -47,10 +47,10 @@ krb5int_validate_times(krb5_context context, krb5_ticket_times *times) + else + starttime = times->authtime; + +- if (ts_delta(starttime, currenttime) > context->clockskew) ++ if (ts_after(starttime, ts_incr(currenttime, context->clockskew))) + return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ + +- if (ts_delta(currenttime, times->endtime) > context->clockskew) ++ if (ts_after(currenttime, ts_incr(times->endtime, context->clockskew))) + return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ + + return 0; +diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c +index 887f24c22..d4e36b1c7 100644 +--- a/src/lib/krb5/os/timeofday.c ++++ b/src/lib/krb5/os/timeofday.c +@@ -60,7 +60,7 @@ krb5_check_clockskew(krb5_context context, krb5_timestamp date) + retval = krb5_timeofday(context, ¤ttime); + if (retval) + return retval; +- if (labs(ts_delta(date, currenttime)) >= context->clockskew) ++ if (!ts_within(date, currenttime, context->clockskew)) + return KRB5KRB_AP_ERR_SKEW; + + return 0; diff --git a/SOURCES/Make-timestamp-manipulations-y2038-safe.patch b/SOURCES/Make-timestamp-manipulations-y2038-safe.patch index 8ae5272..b729c48 100644 --- a/SOURCES/Make-timestamp-manipulations-y2038-safe.patch +++ b/SOURCES/Make-timestamp-manipulations-y2038-safe.patch @@ -24,7 +24,6 @@ safely convert from libkrb5 timestamp values. ticket: 8352 (cherry picked from commit a9cbbf0899f270fbb14f63ffbed1b6d542333641) -Signed-off-by: Robbie Harwood --- src/clients/kinit/kinit.c | 2 +- src/clients/klist/klist.c | 20 ++++------- diff --git a/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch b/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch index 084f55e..7d73dde 100644 --- a/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch +++ b/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch @@ -28,7 +28,6 @@ target_version: 1.14-next tags: pullup (cherry picked from commit ffb35baac6981f9e8914f8f3bffd37f284b85970) -Signed-off-by: Robbie Harwood --- src/kdc/do_as_req.c | 4 ++-- src/kdc/do_tgs_req.c | 3 ++- diff --git a/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch b/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch index 94315ea..af23c82 100644 --- a/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch +++ b/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch @@ -10,7 +10,6 @@ initialization instead of silently ignoring the realm entirely. ticket: 8603 (new) (cherry picked from commit 3ff426b9048a8024e5c175256c63cd0ad0572320) -Signed-off-by: Robbie Harwood --- doc/admin/conf_files/kdc_conf.rst | 3 --- src/man/kdc.conf.man | 3 --- diff --git a/SOURCES/Use-krb5_timestamp-where-appropriate.patch b/SOURCES/Use-krb5_timestamp-where-appropriate.patch index 084c698..a7f2294 100644 --- a/SOURCES/Use-krb5_timestamp-where-appropriate.patch +++ b/SOURCES/Use-krb5_timestamp-where-appropriate.patch @@ -7,7 +7,6 @@ Where krb5_int32 is used to hold the number of seconds since the epoch, use krb5_timestamp instead. (cherry picked from commit ae25f6ec5558140a546db34fea389412d81c0631) -Signed-off-by: Robbie Harwood --- src/clients/klist/klist.c | 2 +- src/include/k5-int.h | 2 +- diff --git a/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch b/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch index e77b58a..6be4cdb 100644 --- a/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch +++ b/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch @@ -9,7 +9,6 @@ callback) instead of the request client principal. ticket: 8571 (new) (cherry picked from commit 6411398e35e343cdc4d2d103b079c4d3b9031f7e) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/otp/main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SOURCES/krb5-1.11-kpasswdtest.patch b/SOURCES/krb5-1.11-kpasswdtest.patch index d58987e..4657926 100644 --- a/SOURCES/krb5-1.11-kpasswdtest.patch +++ b/SOURCES/krb5-1.11-kpasswdtest.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 10:03:40 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch -Signed-off-by: Robbie Harwood --- src/kadmin/testing/proto/krb5.conf.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/SOURCES/krb5-1.11-run_user_0.patch b/SOURCES/krb5-1.11-run_user_0.patch index 3093df6..734341c 100644 --- a/SOURCES/krb5-1.11-run_user_0.patch +++ b/SOURCES/krb5-1.11-run_user_0.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 10:03:22 -0400 Subject: [PATCH] krb5-1.11-run_user_0.patch -Signed-off-by: Robbie Harwood --- src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/SOURCES/krb5-1.12-api.patch b/SOURCES/krb5-1.12-api.patch index e040029..ae261d5 100644 --- a/SOURCES/krb5-1.12-api.patch +++ b/SOURCES/krb5-1.12-api.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 09:59:22 -0400 Subject: [PATCH] krb5-1.12-api.patch -Signed-off-by: Robbie Harwood --- src/lib/krb5/krb/princ_comp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/SOURCES/krb5-1.12-ksu-path.patch b/SOURCES/krb5-1.12-ksu-path.patch index cc4a074..7127916 100644 --- a/SOURCES/krb5-1.12-ksu-path.patch +++ b/SOURCES/krb5-1.12-ksu-path.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 09:57:25 -0400 Subject: [PATCH] krb5-1.12-ksu-path.patch -Signed-off-by: Robbie Harwood --- src/clients/ksu/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOURCES/krb5-1.12-ktany.patch b/SOURCES/krb5-1.12-ktany.patch index bae76e2..a518ebf 100644 --- a/SOURCES/krb5-1.12-ktany.patch +++ b/SOURCES/krb5-1.12-ktany.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 09:58:00 -0400 Subject: [PATCH] krb5-1.12-ktany.patch -Signed-off-by: Robbie Harwood --- src/lib/krb5/keytab/Makefile.in | 3 + src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++ diff --git a/SOURCES/krb5-1.12.1-pam.patch b/SOURCES/krb5-1.12.1-pam.patch index 7b8d6f5..87eeec9 100644 --- a/SOURCES/krb5-1.12.1-pam.patch +++ b/SOURCES/krb5-1.12.1-pam.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Mon, 18 Apr 2016 15:57:38 -0400 Subject: [PATCH] krb5-1.12.1-pam.patch -Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 67 ++++++++ src/clients/ksu/Makefile.in | 8 +- diff --git a/SOURCES/krb5-1.13-dirsrv-accountlock.patch b/SOURCES/krb5-1.13-dirsrv-accountlock.patch index 268c859..1c7182a 100644 --- a/SOURCES/krb5-1.13-dirsrv-accountlock.patch +++ b/SOURCES/krb5-1.13-dirsrv-accountlock.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 10:01:15 -0400 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch -Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 9 +++++++++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++ diff --git a/SOURCES/krb5-1.15-beta1-buildconf.patch b/SOURCES/krb5-1.15-beta1-buildconf.patch index 71e122d..958cfdf 100644 --- a/SOURCES/krb5-1.15-beta1-buildconf.patch +++ b/SOURCES/krb5-1.15-beta1-buildconf.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Wed, 4 Jan 2017 13:18:18 -0500 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch -Signed-off-by: Robbie Harwood --- src/build-tools/krb5-config.in | 7 +++++++ src/config/pre.in | 2 +- diff --git a/SOURCES/krb5-1.15-beta1-selinux-label.patch b/SOURCES/krb5-1.15-beta1-selinux-label.patch index 0cc22e8..0e79ce9 100644 --- a/SOURCES/krb5-1.15-beta1-selinux-label.patch +++ b/SOURCES/krb5-1.15-beta1-selinux-label.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Wed, 4 Jan 2017 13:17:28 -0500 Subject: [PATCH] krb5-1.15-beta1-selinux-label.patch -Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 49 +++ src/build-tools/krb5-config.in | 3 +- diff --git a/SOURCES/krb5-1.3.1-dns.patch b/SOURCES/krb5-1.3.1-dns.patch index 761722f..7f2cfdf 100644 --- a/SOURCES/krb5-1.3.1-dns.patch +++ b/SOURCES/krb5-1.3.1-dns.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 09:59:05 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch -Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 1 + 1 file changed, 1 insertion(+) diff --git a/SOURCES/krb5-1.9-debuginfo.patch b/SOURCES/krb5-1.9-debuginfo.patch index e74a6a9..c9a6499 100644 --- a/SOURCES/krb5-1.9-debuginfo.patch +++ b/SOURCES/krb5-1.9-debuginfo.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 10:02:40 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch -Signed-off-by: Robbie Harwood --- src/kadmin/cli/Makefile.in | 5 +++++ src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- diff --git a/SOURCES/krb5-kvno-230379.patch b/SOURCES/krb5-kvno-230379.patch index 2005ab9..0e7c5d5 100644 --- a/SOURCES/krb5-kvno-230379.patch +++ b/SOURCES/krb5-kvno-230379.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Fri, 22 Apr 2016 10:03:07 -0400 Subject: [PATCH] krb5-kvno-230379.patch -Signed-off-by: Robbie Harwood --- src/kadmin/ktutil/ktutil.c | 5 +++-- src/lib/krb5/keytab/kt_file.c | 2 +- diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index e3a5ee2..5ea0c61 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -12,7 +12,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.15.1 -Release: 18%{?dist} +Release: 19%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar @@ -88,6 +88,7 @@ Patch173: Convert-some-pkiDebug-messages-to-TRACE-macros.patch Patch174: Fix-certauth-built-in-module-returns.patch Patch175: Add-test-cert-with-no-extensions.patch Patch176: Expose-context-errors-in-pkinit_server_plugin_init.patch +Patch177: Limit-ticket-lifetime-to-2-31-1-seconds.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -309,6 +310,7 @@ ONLY by kerberos itself. Do not depend on this package. %patch174 -p1 -b .Fix-certauth-built-in-module-returns %patch175 -p1 -b .Add-test-cert-with-no-extensions %patch176 -p1 -b .Expose-context-errors-in-pkinit_server_plugin_init +%patch177 -p1 -b .Limit-ticket-lifetime-to-2-31-1-seconds ln NOTICE LICENSE @@ -813,6 +815,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Mar 02 2018 Robbie Harwood - 1.15.1-19 +- Limit ticket lifetime to 2^31-1 seconds +- Resolves: #1554723 + * Tue Nov 28 2017 Robbie Harwood - 1.15.1-18 - Expose context errors in pkinit_server_plugin_init - Resolves: #1460089