[krb5/f20] Pull in fix for KDC timesync with keyring ccaches
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Jan 21 23:57:58 UTC 2014
commit ec82b14437298e7eb822f27a4fab8c5a67e26471
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Tue Jan 21 18:33:56 2014 -0500
Pull in fix for KDC timesync with keyring ccaches
- pull in upstream patch to fix the GSSAPI library's checks for expired
client creds in gss_init_sec_context() so that they work with keyring
caches (RT#7820, #1030607)
krb5-master-keyring-kdcsync.patch | 108 +++++++++++++++++++++++++++++++++++++
krb5.spec | 9 +++
2 files changed, 117 insertions(+), 0 deletions(-)
---
diff --git a/krb5-master-keyring-kdcsync.patch b/krb5-master-keyring-kdcsync.patch
new file mode 100644
index 0000000..3079bf2
--- /dev/null
+++ b/krb5-master-keyring-kdcsync.patch
@@ -0,0 +1,108 @@
+commit e99c688913a7761c6adea9488ea9355f43539883
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Thu Jan 16 17:48:54 2014 -0500
+
+ Get time offsets for all keyring ccaches
+
+ Move the time offset lookup from krb5_krcc_resolve to make_cache, so
+ that we fetch time offsets for caches created by
+ krb5_krcc_ptcursor_next.
+
+ ticket: 7820
+ target_version: 1.12.2
+ tags: pullup
+
+diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
+index a0c8035..27bad9d 100644
+--- a/src/lib/krb5/ccache/cc_keyring.c
++++ b/src/lib/krb5/ccache/cc_keyring.c
+@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id)
+
+ /* Create a cache handle for a cache ID. */
+ static krb5_error_code
+-make_cache(key_serial_t collection_id, key_serial_t cache_id,
+- const char *anchor_name, const char *collection_name,
+- const char *subsidiary_name, krb5_ccache *cache_out)
++make_cache(krb5_context context, key_serial_t collection_id,
++ key_serial_t cache_id, const char *anchor_name,
++ const char *collection_name, const char *subsidiary_name,
++ krb5_ccache *cache_out)
+ {
+ krb5_error_code ret;
++ krb5_os_context os_ctx = &context->os_context;
+ krb5_ccache ccache = NULL;
+ krb5_krcc_data *d;
+ key_serial_t pkey = 0;
+@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
+ ccache->data = d;
+ ccache->magic = KV5M_CCACHE;
+ *cache_out = ccache;
++
++ /* Lookup time offsets if necessary. */
++ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
++ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
++ if (krb5_krcc_get_time_offsets(context, ccache,
++ &os_ctx->time_offset,
++ &os_ctx->usec_offset) == 0) {
++ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
++ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
++ }
++ }
++
+ return 0;
+ }
+
+@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
+ static krb5_error_code KRB5_CALLCONV
+ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
+ {
+- krb5_os_context os_ctx = &context->os_context;
+ krb5_error_code ret;
+ key_serial_t collection_id, cache_id;
+ char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
+@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
+ if (cache_id < 0)
+ cache_id = 0;
+
+- ret = make_cache(collection_id, cache_id, anchor_name, collection_name,
+- subsidiary_name, id);
++ ret = make_cache(context, collection_id, cache_id, anchor_name,
++ collection_name, subsidiary_name, id);
+ if (ret)
+ goto cleanup;
+
+- /* Lookup time offsets if necessary. */
+- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
+- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
+- if (krb5_krcc_get_time_offsets(context, *id,
+- &os_ctx->time_offset,
+- &os_ctx->usec_offset) == 0) {
+- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
+- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
+- }
+- }
+-
+ cleanup:
+ free(anchor_name);
+ free(collection_name);
+@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
+ cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING,
+ first_name, 0);
+ if (cache_id != -1) {
+- return make_cache(data->collection_id, cache_id, data->anchor_name,
+- data->collection_name, first_name, cache_out);
++ return make_cache(context, data->collection_id, cache_id,
++ data->anchor_name, data->collection_name,
++ first_name, cache_out);
+ }
+ }
+
+@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
+
+ /* We found a valid key */
+ data->next_key++;
+- ret = make_cache(data->collection_id, key, data->anchor_name,
++ ret = make_cache(context, data->collection_id, key, data->anchor_name,
+ data->collection_name, subsidiary_name, cache_out);
+ free(description);
+ return ret;
diff --git a/krb5.spec b/krb5.spec
index 40e6b94..cb1e78d 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -129,6 +129,8 @@ Patch155: krb5-master-empty-credstore.patch
Patch156: krb5-1.11.3-1.12.1-credstoretest.patch
Patch157: krb5-1.11-rcache-acquirecred-test.patch
+Patch158: krb5-master-keyring-kdcsync.patch
+
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
Patch202: krb5-1.11.2-otp.patch
@@ -400,6 +402,8 @@ ln -s NOTICE LICENSE
%patch156 -p1 -b .credstoretest
%patch157 -p1 -b .rcache-acquirecred-test
+%patch158 -p1 -b .keyring-kdcsync
+
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
%patch203 -p1 -b .otp2
@@ -1051,6 +1055,11 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Jan 21 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-39
+- pull in upstream patch to fix the GSSAPI library's checks for expired
+ client creds in gss_init_sec_context() so that they work with keyring
+ caches (RT#7820, #1030607)
+
* Tue Jan 21 2014 Nalin Dahyabhai <nalin at redhat.com>
- pull in and backport multiple changes to allow replay caches to be added to
a GSS credential store as "rcache"-type credentials (RT#7818/#7819/#7836,
More information about the scm-commits
mailing list