[krb5/f14/master] - fix a logic bug in computing key expiration times (RT#6762, #627022)

[Nalin Dahyabhai]

commit 74ff8271f08be97a56d2b9f269383730c6f12ebb
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Tue Aug 24 18:30:01 2010 -0400

    - fix a logic bug in computing key expiration times (RT#6762, #627022)

 krb5-trunk-explife.patch |   28 ++++++++++++++++++++++++++++
 krb5.spec                |    7 ++++++-
 2 files changed, 34 insertions(+), 1 deletions(-)
---
diff --git a/krb5-trunk-explife.patch b/krb5-trunk-explife.patch
new file mode 100644
index 0000000..ddcf143
--- /dev/null
+++ b/krb5-trunk-explife.patch
@@ -0,0 +1,28 @@
+Rob Crittenden noticed that, in populate_krb5_db_entry(), key
+expirations weren't being computed as expected.  It turns out
+that neither KDB_PRINC_EXPIRE_TIME_ATTR nor KDB_PWD_EXPIRE_TIME_ATTR
+is defined to 1, so the check for their bits could never succeed as
+written.  RT#6762.
+
+Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+===================================================================
+--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	(revision 24252)
++++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	(working copy)
+@@ -2087,7 +2087,7 @@
+             goto cleanup;
+ 
+         if (attr_present == TRUE) {
+-            if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) {
++            if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) {
+                 if (expiretime < entry->expiration)
+                     entry->expiration = expiretime;
+             } else {
+@@ -2127,7 +2127,7 @@
+             if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
+                 goto cleanup;
+ 
+-            if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
++            if (mask & KDB_PWD_EXPIRE_TIME_ATTR) {
+                 if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
+                     entry->pw_expiration = last_pw_changed + pw_max_life;
+             } else
diff --git a/krb5.spec b/krb5.spec
index 1522fc4..749a25b 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -5,7 +5,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.8.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -50,6 +50,7 @@ Patch71: krb5-1.8-dirsrv-accountlock.patch
 Patch72: krb5-1.7.1-24139.patch
 Patch73: krb5-1-8-gss-noexp.patch
 Patch74: krb5-1.8.2-getoptP.patch
+Patch75: krb5-trunk-explife.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -190,6 +191,7 @@ ln -s NOTICE LICENSE
 %patch72 -p1 -b .24139
 %patch73 -p0 -b .gss-noexp
 %patch74 -p1 -b .getoptP
+%patch75 -p0 -b .explife
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -641,6 +643,9 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue Aug 24 2010 Nalin Dahyabhai <nalin at redhat.com> 1.8.2-4
+- fix a logic bug in computing key expiration times (RT#6762, #627022)
+
 * Wed Jul  7 2010 Nalin Dahyabhai <nalin at redhat.com> 1.8.2-3
 - tell krb5kdc and kadmind to create pid files, since they can
 - add logrotate configuration files for krb5kdc and kadmind (#462658)