diff --git a/SOURCES/Add-KDC-policy-pluggable-interface.patch b/SOURCES/Add-KDC-policy-pluggable-interface.patch
index 19cb799..590ff85 100644
--- a/SOURCES/Add-KDC-policy-pluggable-interface.patch
+++ b/SOURCES/Add-KDC-policy-pluggable-interface.patch
@@ -19,7 +19,6 @@ Also authored by Matt Rogers <mrogers@redhat.com>.
ticket: 8606 (new)
(cherry picked from commit d0969f6a8170344031ef58fd2a161190f1edfb96)
[rharwood@redhat.com: mention but do not use kadm_auth]
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/plugindev/index.rst | 1 +
doc/plugindev/kdcpolicy.rst | 24 +++
diff --git a/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch b/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
index 5d43ea7..a1a7fef 100644
--- a/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
+++ b/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
@@ -8,7 +8,6 @@ id-pkinit-san match against canonicalized client principal]
ticket: 8528
(cherry picked from commit d520fd3f032121b61b22681838af96ee505fe44d)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/SOURCES/Add-certauth-pluggable-interface.patch b/SOURCES/Add-certauth-pluggable-interface.patch
index 79bd718..b7719a8 100644
--- a/SOURCES/Add-certauth-pluggable-interface.patch
+++ b/SOURCES/Add-certauth-pluggable-interface.patch
@@ -22,7 +22,6 @@ doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.
ticket: 8561 (new)
(cherry picked from commit b619ce84470519bea65470be3263cd85fba94f57)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/admin/conf_files/krb5_conf.rst | 21 ++
doc/plugindev/certauth.rst | 27 ++
diff --git a/SOURCES/Add-k5test-expected_msg-expected_trace.patch b/SOURCES/Add-k5test-expected_msg-expected_trace.patch
index c07c519..8a0dd37 100644
--- a/SOURCES/Add-k5test-expected_msg-expected_trace.patch
+++ b/SOURCES/Add-k5test-expected_msg-expected_trace.patch
@@ -11,7 +11,6 @@ substrings in the trace output.
(cherry picked from commit 8bb5fce69a4aa6c3082fa7def66a93974e10e17a)
[rharwood@redhat.com: back out .gitignore]
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/config/post.in | 2 +-
src/util/k5test.py | 37 ++++++++++++++++++++++++++++++++++---
diff --git a/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch b/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch
index cc0ddb3..4659281 100644
--- a/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch
+++ b/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch
@@ -14,7 +14,6 @@ enctype of the session key.
ticket: 8569 (new)
(cherry picked from commit 7feb7da54c0321b5a3eeb6c3797846a3cf7eda28)
[rharwood@redhat.com: stub out GSS_KRB5_GET_CRED_IMPERSONATOR]
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-int.h | 1 +
src/lib/crypto/krb/crypto_int.h | 1 +
diff --git a/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch b/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch
index 9c1dcf9..d9aecf6 100644
--- a/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch
+++ b/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch
@@ -7,8 +7,6 @@ Based on commit 5a1d0388ba2e4ec510ed715ce5fbc7f748941425 but missing
everything but the make-certs change since infrastructure cannot patch
binaries. Plan to run make-certs during build, but this will only
work with openssl < 1.1.
-
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 +++++++++++++++++++++++++++-
1 file changed, 52 insertions(+), 1 deletion(-)
diff --git a/SOURCES/Add-test-cert-with-no-extensions.patch b/SOURCES/Add-test-cert-with-no-extensions.patch
index 90201f1..da6f8cb 100644
--- a/SOURCES/Add-test-cert-with-no-extensions.patch
+++ b/SOURCES/Add-test-cert-with-no-extensions.patch
@@ -9,8 +9,6 @@ with no certificate extensions. Re-run make-certs.sh.
ticket: 8562
(cherry-picked from commit 0d23835660ab131d244d395e4568969b5c0dc678)
[rharwood@redhat.com: only backport the make-certs.sh changes]
-
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/tests/dejagnu/pkinit-certs/make-certs.sh | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/SOURCES/Add-the-client_name-kdcpreauth-callback.patch b/SOURCES/Add-the-client_name-kdcpreauth-callback.patch
index 25f4dea..9d53313 100644
--- a/SOURCES/Add-the-client_name-kdcpreauth-callback.patch
+++ b/SOURCES/Add-the-client_name-kdcpreauth-callback.patch
@@ -7,7 +7,6 @@ Add a kdcpreauth callback to returns the canonicalized client principal.
ticket: 8570 (new)
(cherry picked from commit a84f39ec30f3deeda7836da6e8b3d8dcf7a045b1)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/krb5/kdcpreauth_plugin.h | 6 ++++++
src/kdc/kdc_preauth.c | 9 ++++++++-
diff --git a/SOURCES/Add-timestamp-helper-functions.patch b/SOURCES/Add-timestamp-helper-functions.patch
index 1bd6a8e..5993793 100644
--- a/SOURCES/Add-timestamp-helper-functions.patch
+++ b/SOURCES/Add-timestamp-helper-functions.patch
@@ -10,7 +10,6 @@ indicating how third-party code should use it safely.
ticket: 8352
(cherry picked from commit 58e9155060cd93b1a7557e37fbc9b077b76465c2)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/k5-int.h | 31 +++++++++++++++++++++++++++++++
src/include/krb5/krb5.hin | 9 +++++++++
diff --git a/SOURCES/Add-timestamp-tests.patch b/SOURCES/Add-timestamp-tests.patch
index 4fe37aa..74d0fb9 100644
--- a/SOURCES/Add-timestamp-tests.patch
+++ b/SOURCES/Add-timestamp-tests.patch
@@ -14,7 +14,6 @@ timestamps.
ticket: 8352
(cherry picked from commit 8ca62e54e89e2fbd6a089e8ab20b4e374a486003)
[rharwood@redhat.com: prune gitignore]
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/Makefile.in | 1 +
src/config/pre.in | 2 +
diff --git a/SOURCES/Add-y2038-documentation.patch b/SOURCES/Add-y2038-documentation.patch
index 01642e1..fedd583 100644
--- a/SOURCES/Add-y2038-documentation.patch
+++ b/SOURCES/Add-y2038-documentation.patch
@@ -5,7 +5,6 @@ Subject: [PATCH] Add y2038 documentation
ticket: 8352
(cherry picked from commit 85d64c43dbf7a7faa56a1999494cdfa49e8bd2c9)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/appdev/index.rst | 1 +
doc/appdev/y2038.rst | 28 ++++++++++++++++++++++++++++
diff --git a/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch b/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch
index 8eb9c2e..41206f7 100644
--- a/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch
+++ b/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch
@@ -14,7 +14,6 @@ target_version: 1.15-next
tags: pullup
(cherry picked from commit b0a072e6431261734e7350996a363801f180e8ea)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/gssapi/krb5/context_time.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
index 69f99cb..b7620fc 100644
--- a/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
+++ b/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
@@ -6,7 +6,6 @@ Subject: [PATCH] Convert some pkiDebug messages to TRACE macros
ticket: 8568 (new)
(cherry picked from commit 9852862a83952a94300adfafa3e333f43396ec33)
(cherry picked from commit 686fa6476eb759532d566794fa8d430774d44cf7)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 46 ++++++---------
src/plugins/preauth/pkinit/pkinit_identity.c | 3 -
diff --git a/SOURCES/Correct-error-handling-bug-in-prior-commit.patch b/SOURCES/Correct-error-handling-bug-in-prior-commit.patch
index 83da7f4..5039df1 100644
--- a/SOURCES/Correct-error-handling-bug-in-prior-commit.patch
+++ b/SOURCES/Correct-error-handling-bug-in-prior-commit.patch
@@ -9,7 +9,6 @@ possibly-modified alias.
ticket: 8561
(cherry picked from commit 7fdaef7c3280c86b5df25ae061fb04cc56d8620c)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/SOURCES/Deindent-crypto_retrieve_X509_sans.patch b/SOURCES/Deindent-crypto_retrieve_X509_sans.patch
index 3864cd3..330820d 100644
--- a/SOURCES/Deindent-crypto_retrieve_X509_sans.patch
+++ b/SOURCES/Deindent-crypto_retrieve_X509_sans.patch
@@ -9,7 +9,6 @@ return parameters are always initialized.
(cherry picked from commit c6b772523db9d7791ee1c56eb512c4626556a4e7)
(cherry picked from commit 23086ac768a32db1e40a9b63684dbcfd76aba033)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 224 +++++++++++----------
1 file changed, 114 insertions(+), 110 deletions(-)
diff --git a/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch b/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch
index 3144401..552ef19 100644
--- a/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch
+++ b/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch
@@ -18,7 +18,6 @@ target_version: 1.16
tags: pullup
(cherry picked from commit 225aab3540c13c6289b22022d5e110f6fc26151d)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/pkinit/pkinit_srv.c | 19 +++++++++++++------
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +++
diff --git a/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch b/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch
index 533818c..9b84bbb 100644
--- a/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch
+++ b/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch
@@ -18,7 +18,6 @@ initialize (my mistake when revising the commit, noted by rharwood).
ticket: 8606
(cherry picked from commit 09acbd91efc6df54e1572285ffc94c6acb3a9113)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kdc/policy.c | 2 +-
src/plugins/kdcpolicy/test/main.c | 10 +++++-----
diff --git a/SOURCES/Fix-certauth-built-in-module-returns.patch b/SOURCES/Fix-certauth-built-in-module-returns.patch
index f512f49..74498aa 100644
--- a/SOURCES/Fix-certauth-built-in-module-returns.patch
+++ b/SOURCES/Fix-certauth-built-in-module-returns.patch
@@ -19,7 +19,6 @@ there are no SANs at all.
ticket: 8561
(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------
src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++---
diff --git a/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch b/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
index fb84846..236d17a 100644
--- a/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
+++ b/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
@@ -8,7 +8,6 @@ implicitly relying on a local variable. Use it in
get_in_tkt.c:verify_as_reply().
(cherry picked from commit 28a07a6461bb443b7fa75cc5cb859ad0db4cbb5a)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/krb/gc_via_tkt.c | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 4 ++--
diff --git a/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch b/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch
index f02f9c5..43a0d6d 100644
--- a/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch
+++ b/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch
@@ -10,7 +10,6 @@ required by t_pkinit.py.
(cherry picked from commit b0473da67d72e43b9f03b703869069348e872efc)
[rharwood@redhat.com: remove newer sections in make-certs.sh]
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/tests/dejagnu/pkinit-certs/make-certs.sh | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/SOURCES/Fix-more-time-manipulations-for-y2038.patch b/SOURCES/Fix-more-time-manipulations-for-y2038.patch
index 44252dc..91af0c8 100644
--- a/SOURCES/Fix-more-time-manipulations-for-y2038.patch
+++ b/SOURCES/Fix-more-time-manipulations-for-y2038.patch
@@ -9,7 +9,6 @@ krb5int_trace().
ticket: 8352
(cherry picked from commit a60db180211a383bd382afe729e9309acb8dcf53)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/server/misc.c | 2 +-
src/kdc/dispatch.c | 2 +-
diff --git a/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch b/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch
index aaf15b6..d4d45c6 100644
--- a/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch
+++ b/SOURCES/Improve-PKINIT-UPN-SAN-matching.patch
@@ -14,7 +14,6 @@ parse UPN values as enterprise principals.
ticket: 8528 (new)
(cherry picked from commit 46ff765e1fb8cbec2bb602b43311269e695dbedc)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/include/krb5/kdcpreauth_plugin.h | 13 ++++++++++
src/kdc/kdc_preauth.c | 28 ++++++++++++++++++++--
diff --git a/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch b/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch
new file mode 100644
index 0000000..53ba9ba
--- /dev/null
+++ b/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch
@@ -0,0 +1,203 @@
+From 31d5c854198ed91fc2bd0b9fb87ed0dcd5a40eb6 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 24 Aug 2017 16:00:33 -0400
+Subject: [PATCH] Limit ticket lifetime to 2^31-1 seconds
+
+Although timestamps above 2^31-1 are now valid, intervals exceeding
+2^31-1 seconds may be treated incorrectly by comparison operations.
+
+The initially computed interval in kdc_get_ticket_endtime() could be
+negative if the requested end time is far in the future, causing the
+function to yield an incorrect result. (With the new larger value of
+kdc_infinity, this could specifically happen if a KDC-REQ contains a
+zero till field.) Cap the interval at the maximum valid value.
+Reported by Weijun Wang.
+
+Avoid delta comparisons in favor of timestamp comparions in
+krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew
+checks.
+
+Also use a y2038-safe timestamp comparison in set_request_times() when
+comparing the requested renewable end time to the requested ticket end
+time.
+
+ticket: 8352
+(cherry picked from commit 54e58755368b58ba5894a14c1d02626da42d8003)
+---
+ src/clients/ksu/ccache.c | 2 +-
+ src/include/k5-int.h | 7 +++++++
+ src/kdc/kdc_util.c | 7 ++++++-
+ src/kdc/replay.c | 2 +-
+ src/kdc/t_replay.c | 2 +-
+ src/lib/krb5/krb/gc_via_tkt.c | 4 ++--
+ src/lib/krb5/krb/get_in_tkt.c | 6 +++---
+ src/lib/krb5/krb/int-proto.h | 3 ---
+ src/lib/krb5/krb/valid_times.c | 4 ++--
+ src/lib/krb5/os/timeofday.c | 2 +-
+ 10 files changed, 24 insertions(+), 15 deletions(-)
+
+diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
+index 236313b7b..2a99521d4 100644
+--- a/src/clients/ksu/ccache.c
++++ b/src/clients/ksu/ccache.c
+@@ -282,7 +282,7 @@ krb5_error_code krb5_check_exp(context, tkt_time)
+
+ }
+
+- if (ts_delta(currenttime, tkt_time.endtime) > context->clockskew) {
++ if (ts_after(currenttime, ts_incr(tkt_time.endtime, context->clockskew))) {
+ retval = KRB5KRB_AP_ERR_TKT_EXPIRED ;
+ return retval;
+ }
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index 39ffb9568..e31004a7c 100644
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -2386,6 +2386,13 @@ ts_after(krb5_timestamp a, krb5_timestamp b)
+ return (uint32_t)a > (uint32_t)b;
+ }
+
++/* Return true if a and b are within d seconds. */
++static inline krb5_boolean
++ts_within(krb5_timestamp a, krb5_timestamp b, krb5_deltat d)
++{
++ return !ts_after(a, ts_incr(b, d)) && !ts_after(b, ts_incr(a, d));
++}
++
+ krb5_error_code KRB5_CALLCONV
+ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+ krb5_ccache ccache,
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 5455e2a67..770163b94 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1759,14 +1759,19 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
+ krb5_db_entry *server,
+ krb5_timestamp *out_endtime)
+ {
+- krb5_timestamp until, life;
++ krb5_timestamp until;
++ krb5_deltat life;
+
+ if (till == 0)
+ till = kdc_infinity;
+
+ until = ts_min(till, endtime);
+
++ /* Determine the requested lifetime, capped at the maximum valid time
++ * interval. */
+ life = ts_delta(until, starttime);
++ if (ts_after(until, starttime) && life < 0)
++ life = INT32_MAX;
+
+ if (client != NULL && client->max_life != 0)
+ life = min(life, client->max_life);
+diff --git a/src/kdc/replay.c b/src/kdc/replay.c
+index fab39cf88..caca783bf 100644
+--- a/src/kdc/replay.c
++++ b/src/kdc/replay.c
+@@ -61,7 +61,7 @@ static size_t total_size = 0;
+ static krb5_ui_4 seed;
+
+ #define STALE_TIME (2*60) /* two minutes */
+-#define STALE(ptr, now) (labs(ts_delta((ptr)->timein, now)) >= STALE_TIME)
++#define STALE(ptr, now) (ts_after(now, ts_incr((ptr)->timein, STALE_TIME)))
+
+ /* Return x rotated to the left by r bits. */
+ static inline krb5_ui_4
+diff --git a/src/kdc/t_replay.c b/src/kdc/t_replay.c
+index 1442e0e8c..bb7e2faff 100644
+--- a/src/kdc/t_replay.c
++++ b/src/kdc/t_replay.c
+@@ -903,7 +903,7 @@ test_kdc_insert_lookaside_cache_expire(void **state)
+ assert_non_null(e);
+ e->num_hits = 5;
+
+- time_return(STALE_TIME, 0);
++ time_return(STALE_TIME + 1, 0);
+ kdc_insert_lookaside(context, &req2, NULL);
+
+ assert_null(K5_LIST_FIRST(&hash_table[req_hash1]));
+diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
+index cf1ea361f..5b9bb9573 100644
+--- a/src/lib/krb5/krb/gc_via_tkt.c
++++ b/src/lib/krb5/krb/gc_via_tkt.c
+@@ -306,8 +306,8 @@ krb5int_process_tgs_reply(krb5_context context,
+ goto cleanup;
+
+ if (!in_cred->times.starttime &&
+- !in_clock_skew(context, dec_rep->enc_part2->times.starttime,
+- timestamp)) {
++ !ts_within(dec_rep->enc_part2->times.starttime, timestamp,
++ context->clockskew)) {
+ retval = KRB5_KDCREP_SKEW;
+ goto cleanup;
+ }
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index 7178bd87b..ed15550f0 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
++++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -269,8 +269,8 @@ verify_as_reply(krb5_context context,
+ return retval;
+ } else {
+ if ((request->from == 0) &&
+- !in_clock_skew(context, as_reply->enc_part2->times.starttime,
+- time_now))
++ !ts_within(as_reply->enc_part2->times.starttime, time_now,
++ context->clockskew))
+ return (KRB5_KDCREP_SKEW);
+ }
+ return 0;
+@@ -781,7 +781,7 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx)
+ if (ctx->renew_life > 0) {
+ /* Don't ask for a smaller renewable time than the lifetime. */
+ ctx->request->rtime = ts_incr(from, ctx->renew_life);
+- if (ctx->request->rtime < ctx->request->till)
++ if (ts_after(ctx->request->till, ctx->request->rtime))
+ ctx->request->rtime = ctx->request->till;
+ ctx->request->kdc_options &= ~KDC_OPT_RENEWABLE_OK;
+ } else {
+diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
+index 48bd9f8f7..9c746d05b 100644
+--- a/src/lib/krb5/krb/int-proto.h
++++ b/src/lib/krb5/krb/int-proto.h
+@@ -83,9 +83,6 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
+ krb5_creds *in_creds, krb5_creds *mcreds,
+ krb5_flags *fields);
+
+-#define in_clock_skew(context, date, now) \
+- (labs(ts_delta(date, now)) < (context)->clockskew)
+-
+ #define IS_TGS_PRINC(p) ((p)->length == 2 && \
+ data_eq_string((p)->data[0], KRB5_TGS_NAME))
+
+diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c
+index 9e509b2dd..294761a88 100644
+--- a/src/lib/krb5/krb/valid_times.c
++++ b/src/lib/krb5/krb/valid_times.c
+@@ -47,10 +47,10 @@ krb5int_validate_times(krb5_context context, krb5_ticket_times *times)
+ else
+ starttime = times->authtime;
+
+- if (ts_delta(starttime, currenttime) > context->clockskew)
++ if (ts_after(starttime, ts_incr(currenttime, context->clockskew)))
+ return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */
+
+- if (ts_delta(currenttime, times->endtime) > context->clockskew)
++ if (ts_after(currenttime, ts_incr(times->endtime, context->clockskew)))
+ return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
+
+ return 0;
+diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c
+index 887f24c22..d4e36b1c7 100644
+--- a/src/lib/krb5/os/timeofday.c
++++ b/src/lib/krb5/os/timeofday.c
+@@ -60,7 +60,7 @@ krb5_check_clockskew(krb5_context context, krb5_timestamp date)
+ retval = krb5_timeofday(context, ¤ttime);
+ if (retval)
+ return retval;
+- if (labs(ts_delta(date, currenttime)) >= context->clockskew)
++ if (!ts_within(date, currenttime, context->clockskew))
+ return KRB5KRB_AP_ERR_SKEW;
+
+ return 0;
diff --git a/SOURCES/Make-timestamp-manipulations-y2038-safe.patch b/SOURCES/Make-timestamp-manipulations-y2038-safe.patch
index 8ae5272..b729c48 100644
--- a/SOURCES/Make-timestamp-manipulations-y2038-safe.patch
+++ b/SOURCES/Make-timestamp-manipulations-y2038-safe.patch
@@ -24,7 +24,6 @@ safely convert from libkrb5 timestamp values.
ticket: 8352
(cherry picked from commit a9cbbf0899f270fbb14f63ffbed1b6d542333641)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/clients/kinit/kinit.c | 2 +-
src/clients/klist/klist.c | 20 ++++-------
diff --git a/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch b/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch
index 084f55e..7d73dde 100644
--- a/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch
+++ b/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch
@@ -28,7 +28,6 @@ target_version: 1.14-next
tags: pullup
(cherry picked from commit ffb35baac6981f9e8914f8f3bffd37f284b85970)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kdc/do_as_req.c | 4 ++--
src/kdc/do_tgs_req.c | 3 ++-
diff --git a/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch b/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch
index 94315ea..af23c82 100644
--- a/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch
+++ b/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch
@@ -10,7 +10,6 @@ initialization instead of silently ignoring the realm entirely.
ticket: 8603 (new)
(cherry picked from commit 3ff426b9048a8024e5c175256c63cd0ad0572320)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
doc/admin/conf_files/kdc_conf.rst | 3 ---
src/man/kdc.conf.man | 3 ---
diff --git a/SOURCES/Use-krb5_timestamp-where-appropriate.patch b/SOURCES/Use-krb5_timestamp-where-appropriate.patch
index 084c698..a7f2294 100644
--- a/SOURCES/Use-krb5_timestamp-where-appropriate.patch
+++ b/SOURCES/Use-krb5_timestamp-where-appropriate.patch
@@ -7,7 +7,6 @@ Where krb5_int32 is used to hold the number of seconds since the
epoch, use krb5_timestamp instead.
(cherry picked from commit ae25f6ec5558140a546db34fea389412d81c0631)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/clients/klist/klist.c | 2 +-
src/include/k5-int.h | 2 +-
diff --git a/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch b/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch
index e77b58a..6be4cdb 100644
--- a/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch
+++ b/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch
@@ -9,7 +9,6 @@ callback) instead of the request client principal.
ticket: 8571 (new)
(cherry picked from commit 6411398e35e343cdc4d2d103b079c4d3b9031f7e)
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/plugins/preauth/otp/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/SOURCES/krb5-1.11-kpasswdtest.patch b/SOURCES/krb5-1.11-kpasswdtest.patch
index d58987e..4657926 100644
--- a/SOURCES/krb5-1.11-kpasswdtest.patch
+++ b/SOURCES/krb5-1.11-kpasswdtest.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 10:03:40 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/testing/proto/krb5.conf.proto | 1 +
1 file changed, 1 insertion(+)
diff --git a/SOURCES/krb5-1.11-run_user_0.patch b/SOURCES/krb5-1.11-run_user_0.patch
index 3093df6..734341c 100644
--- a/SOURCES/krb5-1.11-run_user_0.patch
+++ b/SOURCES/krb5-1.11-run_user_0.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 10:03:22 -0400
Subject: [PATCH] krb5-1.11-run_user_0.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/SOURCES/krb5-1.12-api.patch b/SOURCES/krb5-1.12-api.patch
index e040029..ae261d5 100644
--- a/SOURCES/krb5-1.12-api.patch
+++ b/SOURCES/krb5-1.12-api.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 09:59:22 -0400
Subject: [PATCH] krb5-1.12-api.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/krb/princ_comp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/SOURCES/krb5-1.12-ksu-path.patch b/SOURCES/krb5-1.12-ksu-path.patch
index cc4a074..7127916 100644
--- a/SOURCES/krb5-1.12-ksu-path.patch
+++ b/SOURCES/krb5-1.12-ksu-path.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 09:57:25 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SOURCES/krb5-1.12-ktany.patch b/SOURCES/krb5-1.12-ktany.patch
index bae76e2..a518ebf 100644
--- a/SOURCES/krb5-1.12-ktany.patch
+++ b/SOURCES/krb5-1.12-ktany.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 09:58:00 -0400
Subject: [PATCH] krb5-1.12-ktany.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/lib/krb5/keytab/Makefile.in | 3 +
src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++
diff --git a/SOURCES/krb5-1.12.1-pam.patch b/SOURCES/krb5-1.12.1-pam.patch
index 7b8d6f5..87eeec9 100644
--- a/SOURCES/krb5-1.12.1-pam.patch
+++ b/SOURCES/krb5-1.12.1-pam.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 18 Apr 2016 15:57:38 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 67 ++++++++
src/clients/ksu/Makefile.in | 8 +-
diff --git a/SOURCES/krb5-1.13-dirsrv-accountlock.patch b/SOURCES/krb5-1.13-dirsrv-accountlock.patch
index 268c859..1c7182a 100644
--- a/SOURCES/krb5-1.13-dirsrv-accountlock.patch
+++ b/SOURCES/krb5-1.13-dirsrv-accountlock.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 10:01:15 -0400
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 9 +++++++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++
diff --git a/SOURCES/krb5-1.15-beta1-buildconf.patch b/SOURCES/krb5-1.15-beta1-buildconf.patch
index 71e122d..958cfdf 100644
--- a/SOURCES/krb5-1.15-beta1-buildconf.patch
+++ b/SOURCES/krb5-1.15-beta1-buildconf.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 4 Jan 2017 13:18:18 -0500
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-
diff --git a/SOURCES/krb5-1.15-beta1-selinux-label.patch b/SOURCES/krb5-1.15-beta1-selinux-label.patch
index 0cc22e8..0e79ce9 100644
--- a/SOURCES/krb5-1.15-beta1-selinux-label.patch
+++ b/SOURCES/krb5-1.15-beta1-selinux-label.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 4 Jan 2017 13:17:28 -0500
Subject: [PATCH] krb5-1.15-beta1-selinux-label.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 49 +++
src/build-tools/krb5-config.in | 3 +-
diff --git a/SOURCES/krb5-1.3.1-dns.patch b/SOURCES/krb5-1.3.1-dns.patch
index 761722f..7f2cfdf 100644
--- a/SOURCES/krb5-1.3.1-dns.patch
+++ b/SOURCES/krb5-1.3.1-dns.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 09:59:05 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/aclocal.m4 | 1 +
1 file changed, 1 insertion(+)
diff --git a/SOURCES/krb5-1.9-debuginfo.patch b/SOURCES/krb5-1.9-debuginfo.patch
index e74a6a9..c9a6499 100644
--- a/SOURCES/krb5-1.9-debuginfo.patch
+++ b/SOURCES/krb5-1.9-debuginfo.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 10:02:40 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/cli/Makefile.in | 5 +++++
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
diff --git a/SOURCES/krb5-kvno-230379.patch b/SOURCES/krb5-kvno-230379.patch
index 2005ab9..0e7c5d5 100644
--- a/SOURCES/krb5-kvno-230379.patch
+++ b/SOURCES/krb5-kvno-230379.patch
@@ -3,7 +3,6 @@ From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 22 Apr 2016 10:03:07 -0400
Subject: [PATCH] krb5-kvno-230379.patch
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/kadmin/ktutil/ktutil.c | 5 +++--
src/lib/krb5/keytab/kt_file.c | 2 +-
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index e3a5ee2..5ea0c61 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -12,7 +12,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.15.1
-Release: 18%{?dist}
+Release: 19%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
@@ -88,6 +88,7 @@ Patch173: Convert-some-pkiDebug-messages-to-TRACE-macros.patch
Patch174: Fix-certauth-built-in-module-returns.patch
Patch175: Add-test-cert-with-no-extensions.patch
Patch176: Expose-context-errors-in-pkinit_server_plugin_init.patch
+Patch177: Limit-ticket-lifetime-to-2-31-1-seconds.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -309,6 +310,7 @@ ONLY by kerberos itself. Do not depend on this package.
%patch174 -p1 -b .Fix-certauth-built-in-module-returns
%patch175 -p1 -b .Add-test-cert-with-no-extensions
%patch176 -p1 -b .Expose-context-errors-in-pkinit_server_plugin_init
+%patch177 -p1 -b .Limit-ticket-lifetime-to-2-31-1-seconds
ln NOTICE LICENSE
@@ -813,6 +815,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
+* Fri Mar 02 2018 Robbie Harwood <rharwood@redhat.com> - 1.15.1-19
+- Limit ticket lifetime to 2^31-1 seconds
+- Resolves: #1554723
+
* Tue Nov 28 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-18
- Expose context errors in pkinit_server_plugin_init
- Resolves: #1460089