From 0b6cf208b14bb25a34980aedd7cc3359316fecf9 Mon Sep 17 00:00:00 2001
From: zhangxingrong <zhangxingrong@uniontech.com>
Date: Tue, 23 Jul 2024 18:15:38 +0800
Subject: [PATCH] Change krb5_get_credentials() endtime behavior

(cherry picked from commit f298607b757c6f0c150f2a0472970583f5b04484)
---
 ...rb5_get_credentials-endtime-behavior.patch | 77 +++++++++++++++++++
 krb5.spec                                     |  6 +-
 2 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 backport-Change-krb5_get_credentials-endtime-behavior.patch

diff --git a/backport-Change-krb5_get_credentials-endtime-behavior.patch b/backport-Change-krb5_get_credentials-endtime-behavior.patch
new file mode 100644
index 0000000..7804239
--- /dev/null
+++ b/backport-Change-krb5_get_credentials-endtime-behavior.patch
@@ -0,0 +1,77 @@
+From e68890329f8ab766f9b746351b5c7d2d18d8dd48 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 27 Jun 2024 07:25:21 -0400
+Subject: [PATCH] Change krb5_get_credentials() endtime behavior
+
+Historically, krb5_get_credentials() uses in_creds->times.endtime both
+as the TGS request endtime and as a cache lookup criterion.  These
+uses are in conflict; setting a TGS request endtime can only serve to
+limit the maximum lifetime of the issued ticket, while a cache lookup
+endtime restricts the minimum lifetime of an acceptable cached ticket.
+The likely outcome is to never use a cached ticket, leading to poor
+performance as we add an entry to the cache for each request.
+
+Change to the Heimdal behavior of using in_creds->times.endtime only
+as the TGS request endtime.
+
+ticket: 9132 (new)
+---
+ src/include/krb5/krb5.hin    |  8 ++++----
+ src/lib/krb5/krb/get_creds.c | 13 +++++--------
+ 2 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index 7c4fc10dd4..99b637872f 100644
+--- a/src/include/krb5/krb5.hin
++++ b/src/include/krb5/krb5.hin
+@@ -3043,10 +3043,10 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts);
+  * session key type is specified in @a in_creds->keyblock.enctype, if it is
+  * nonzero.
+  *
+- * The expiration date is specified in @a in_creds->times.endtime.
+- * The KDC may return tickets with an earlier expiration date.
+- * If @a in_creds->times.endtime is set to 0, the latest possible
+- * expiration date will be requested.
++ * If @a in_creds->times.endtime is specified, it is used as the requested
++ * expiration date if a TGS request is made.  If @a in_creds->times.endtime is
++ * set to 0, the latest possible expiration date will be requested.  The KDC or
++ * cache may return a ticket with an earlier expiration date.
+  *
+  * Any returned ticket and intermediate ticket-granting tickets are stored
+  * in @a ccache.
+diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
+index e986844a71..00becae965 100644
+--- a/src/lib/krb5/krb/get_creds.c
++++ b/src/lib/krb5/krb/get_creds.c
+@@ -53,18 +53,16 @@ construct_matching_creds(krb5_context context, krb5_flags options,
+                          krb5_creds *in_creds, krb5_creds *mcreds,
+                          krb5_flags *fields)
+ {
++    krb5_error_code ret;
++
+     if (!in_creds || !in_creds->server || !in_creds->client)
+         return EINVAL;
+ 
+     memset(mcreds, 0, sizeof(krb5_creds));
+     mcreds->magic = KV5M_CREDS;
+-    if (in_creds->times.endtime != 0) {
+-        mcreds->times.endtime = in_creds->times.endtime;
+-    } else {
+-        krb5_error_code retval;
+-        retval = krb5_timeofday(context, &mcreds->times.endtime);
+-        if (retval != 0) return retval;
+-    }
++    ret = krb5_timeofday(context, &mcreds->times.endtime);
++    if (ret)
++        return ret;
+     mcreds->keyblock = in_creds->keyblock;
+     mcreds->authdata = in_creds->authdata;
+     mcreds->server = in_creds->server;
+@@ -75,7 +73,6 @@ construct_matching_creds(krb5_context context, krb5_flags options,
+         | KRB5_TC_SUPPORTED_KTYPES;
+     if (mcreds->keyblock.enctype) {
+         krb5_enctype *ktypes;
+-        krb5_error_code ret;
+         int i;
+ 
+         *fields |= KRB5_TC_MATCH_KTYPE;
diff --git a/krb5.spec b/krb5.spec
index f1ce4ee..2136d3d 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -3,7 +3,7 @@
 
 Name:     krb5
 Version:  1.21.2
-Release:  7
+Release:  8
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@@ -37,6 +37,7 @@ Patch13: backport-Fix-more-non-prototype-functions.patch
 Patch14: backport-Fix-Python-regexp-literals.patch
 Patch15: backport-Handle-empty-initial-buffer-in-IAKERB-initiator.patch
 Patch16: backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
+Patch17: backport-Change-krb5_get_credentials-endtime-behavior.patch
 
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@@ -335,6 +336,9 @@ make -C src check || :
 %{_mandir}/man8/*
 
 %changelog
+* Tue Jul 23 2024 zhangxingrong <zhangxingrong@uniontech.cn> - 1.21.2-8
+- Change krb5_get_credentials() endtime behavior
+
 * Thu Jul 4 2024 xuraoqing <xuraoqing@huawei.com> - 1.21.2-7
 - backport patches to fix bugs and CVE-2024-37370 CVE-2024-37371
 
-- 
Gitee