Use KRB5_TC_MATCH_TIMES when looking for creds
This commit is contained in:
Nicolas Williams
@@ -702,7 +702,10 @@ find_cred(krb5_context context,
|
||||
|
||||
krb5_cc_clear_mcred(&mcreds);
|
||||
mcreds.server = server;
|
||||
ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM,
|
||||
krb5_timeofday(context, &mcreds.times.endtime);
|
||||
ret = krb5_cc_retrieve_cred(context, id,
|
||||
KRB5_TC_DONT_MATCH_REALM |
|
||||
KRB5_TC_MATCH_TIMES,
|
||||
&mcreds, out_creds);
|
||||
if(ret == 0)
|
||||
return 0;
|
||||
@@ -983,11 +986,13 @@ get_cred_kdc_referral(krb5_context context,
|
||||
krb5_creds mcreds;
|
||||
char *referral_realm;
|
||||
|
||||
/* Use cache if we are not doing impersonation or contrainte deleg */
|
||||
/* Use cache if we are not doing impersonation or contrained deleg */
|
||||
if (impersonate_principal == NULL || flags.b.constrained_delegation) {
|
||||
krb5_cc_clear_mcred(&mcreds);
|
||||
mcreds.server = referral.server;
|
||||
ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &ticket);
|
||||
krb5_timeofday(context, &mcreds.times.endtime);
|
||||
ret = krb5_cc_retrieve_cred(context, ccache, KRB5_TC_MATCH_TIMES,
|
||||
&mcreds, &ticket);
|
||||
} else
|
||||
ret = EINVAL;
|
||||
|
||||
@@ -1122,38 +1127,27 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
|
||||
krb5_creds *in_creds, krb5_creds *out_creds)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_timestamp timeret;
|
||||
krb5_timestamp now;
|
||||
krb5_times save_times;
|
||||
|
||||
/*
|
||||
* If we got a credential, check if credential is expired before
|
||||
* returning it.
|
||||
*/
|
||||
save_times = in_creds->times;
|
||||
|
||||
krb5_timeofday(context, &now);
|
||||
|
||||
if (!(options & KRB5_GC_EXPIRED_OK) &&
|
||||
in_creds->times.endtime < now) {
|
||||
in_creds->times.renew_till = 0;
|
||||
krb5_timeofday(context, &in_creds->times.endtime);
|
||||
options |= KRB5_TC_MATCH_TIMES;
|
||||
}
|
||||
ret = krb5_cc_retrieve_cred(context, ccache,
|
||||
options & KRB5_TC_MATCH_KEYTYPE,
|
||||
in_creds, out_creds);
|
||||
if (ret != 0)
|
||||
return ret; /* Caller will check for KRB5_CC_END */
|
||||
(options &
|
||||
(KRB5_TC_MATCH_KEYTYPE |
|
||||
KRB5_TC_MATCH_TIMES)),
|
||||
in_creds, out_creds);
|
||||
|
||||
/*
|
||||
* If we got a credential, check if credential is expired before
|
||||
* returning it, but only if KRB5_GC_EXPIRED_OK is not set.
|
||||
*/
|
||||
|
||||
/* If expired ok, don't bother checking */
|
||||
if (options & KRB5_GC_EXPIRED_OK)
|
||||
return 0;
|
||||
|
||||
krb5_timeofday(context, &timeret);
|
||||
if (out_creds->times.endtime > timeret)
|
||||
return 0;
|
||||
|
||||
/* Expired and not ok; remove and pretend we didn't find it */
|
||||
if (options & KRB5_GC_CACHED)
|
||||
krb5_cc_remove_cred(context, ccache, 0, out_creds);
|
||||
|
||||
krb5_free_cred_contents(context, out_creds);
|
||||
memset(out_creds, 0, sizeof (*out_creds));
|
||||
return KRB5_CC_END;
|
||||
in_creds->times = save_times;
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void
|
||||
|
||||
Reference in New Issue
Block a user