From 7f06579f48a238553ed5c22938aa9f1d7574ad49 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Aug 30 2012 18:22:23 +0000
Subject: backport patch from RT#7229


- backport patch to disable replay detection in krb5_verify_init_creds()
  while reading the AP-REQ that's generated in the same function (RT#7229)

---

diff --git a/krb5-1.10.2-replay.patch b/krb5-1.10.2-replay.patch
new file mode 100644
index 0000000..d6dfff0
--- /dev/null
+++ b/krb5-1.10.2-replay.patch
@@ -0,0 +1,17 @@
+Backport from ticket 7229.
+--- krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
++++ krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
+@@ -194,6 +194,13 @@ krb5_verify_init_creds(krb5_context cont
+         authcon = NULL;
+     }
+ 
++    /* Build an auth context that won't bother with replay checks -- it's
++     * not as if we're going to mount a replay attack on ourselves here. */
++    if (ret = krb5_auth_con_init(context, &authcon))
++        goto cleanup;
++    if (ret = krb5_auth_con_setflags(context, authcon, 0))
++        goto cleanup;
++
+     /* verify the ap_req */
+ 
+     if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,
diff --git a/krb5.spec b/krb5.spec
index ef3aa61..812cd1f 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -29,7 +29,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -81,6 +81,7 @@ Patch103: krb5-1.10-gcc47.patch
 Patch105: krb5-kvno-230379.patch
 Patch106: krb5-1.10.2-keytab-etype.patch
 Patch107: krb5-trunk-pkinit-anchorsign.patch
+Patch108: krb5-1.10.2-replay.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -269,6 +270,7 @@ ln -s NOTICE LICENSE
 %patch105 -p1 -b .kvno
 %patch106 -p1 -b .keytab-etype
 %patch107 -p1 -b .pkinit-anchorsign
+%patch108 -p1 -b .replay
 rm src/lib/krb5/krb/deltat.c
 
 gzip doc/*.ps
@@ -837,6 +839,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Thu Aug 30 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-3
+- backport patch to disable replay detection in krb5_verify_init_creds()
+  while reading the AP-REQ that's generated in the same function (RT#7229)
+
 * Thu Aug 30 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-2
 - undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6
 - version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename
diff --git a/replay.patch b/replay.patch
new file mode 100644
index 0000000..193f139
--- /dev/null
+++ b/replay.patch
@@ -0,0 +1,31 @@
+commit f1783431cb8f146095067f5e2531e9155a8787bb
+Author: Nalin Dahyabhai <nalin@dahyabhai.net>
+Date:   Wed Apr 18 14:01:39 2012 -0400
+
+    Turn off replay cache in krb5_verify_init_creds()
+    
+    The library isn't attempting a replay attack on itself, so any detected
+    replays are only going to be false-positives.
+    
+    ticket: 7229 (new)
+
+diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
+index 14acb0a..e88a37f 100644
+--- a/src/lib/krb5/krb/vfy_increds.c
++++ b/src/lib/krb5/krb/vfy_increds.c
+@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
+         authcon = NULL;
+     }
+ 
++    /* Build an auth context that won't bother with replay checks -- it's
++     * not as if we're going to mount a replay attack on ourselves here. */
++    ret = krb5_auth_con_init(context, &authcon);
++    if (ret)
++        goto cleanup;
++    ret = krb5_auth_con_setflags(context, authcon, 0);
++    if (ret)
++        goto cleanup;
++
+     /* Verify the ap_req. */
+     ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
+     if (ret)