oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Use KRB5_TC_MATCH_TIMES when looking for creds

Browse Source
This commit is contained in:
Nicolas Williams
2013-08-02 18:55:36 -05:00
parent ccb148eedb
commit 0f1ae2d101
1 changed files with 26 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
lib/krb5/get_cred.c
View File

@@ -702,7 +702,10 @@ find_cred(krb5_context context,
krb5_cc_clear_mcred(&mcreds); krb5_cc_clear_mcred(&mcreds);
mcreds.server = server; mcreds.server = server;
ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, krb5_timeofday(context, &mcreds.times.endtime);
ret = krb5_cc_retrieve_cred(context, id,
KRB5_TC_DONT_MATCH_REALM |
KRB5_TC_MATCH_TIMES,
&mcreds, out_creds); &mcreds, out_creds);
if(ret == 0) if(ret == 0)
return 0; return 0;
@@ -983,11 +986,13 @@ get_cred_kdc_referral(krb5_context context,
krb5_creds mcreds; krb5_creds mcreds;
char *referral_realm; char *referral_realm;
/* Use cache if we are not doing impersonation or contrainte deleg */ /* Use cache if we are not doing impersonation or contrained deleg */
if (impersonate_principal == NULL || flags.b.constrained_delegation) { if (impersonate_principal == NULL || flags.b.constrained_delegation) {
krb5_cc_clear_mcred(&mcreds); krb5_cc_clear_mcred(&mcreds);
mcreds.server = referral.server; mcreds.server = referral.server;
ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &ticket); krb5_timeofday(context, &mcreds.times.endtime);
ret = krb5_cc_retrieve_cred(context, ccache, KRB5_TC_MATCH_TIMES,
&mcreds, &ticket);
} else } else
ret = EINVAL; ret = EINVAL;
@@ -1122,38 +1127,27 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
krb5_creds *in_creds, krb5_creds *out_creds) krb5_creds *in_creds, krb5_creds *out_creds)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_timestamp timeret; krb5_timestamp now;
krb5_times save_times;
/* save_times = in_creds->times;
* If we got a credential, check if credential is expired before
* returning it. krb5_timeofday(context, &now);
*/
if (!(options & KRB5_GC_EXPIRED_OK) &&
in_creds->times.endtime < now) {
in_creds->times.renew_till = 0;
krb5_timeofday(context, &in_creds->times.endtime);
options |= KRB5_TC_MATCH_TIMES;
}
ret = krb5_cc_retrieve_cred(context, ccache, ret = krb5_cc_retrieve_cred(context, ccache,
options & KRB5_TC_MATCH_KEYTYPE, (options &
(KRB5_TC_MATCH_KEYTYPE |
KRB5_TC_MATCH_TIMES)),
in_creds, out_creds); in_creds, out_creds);
if (ret != 0)
return ret; /* Caller will check for KRB5_CC_END */
/* in_creds->times = save_times;
* If we got a credential, check if credential is expired before return ret;
* returning it, but only if KRB5_GC_EXPIRED_OK is not set.
*/
/* If expired ok, don't bother checking */
if (options & KRB5_GC_EXPIRED_OK)
return 0;
krb5_timeofday(context, &timeret);
if (out_creds->times.endtime > timeret)
return 0;
/* Expired and not ok; remove and pretend we didn't find it */
if (options & KRB5_GC_CACHED)
krb5_cc_remove_cred(context, ccache, 0, out_creds);
krb5_free_cred_contents(context, out_creds);
memset(out_creds, 0, sizeof (*out_creds));
return KRB5_CC_END;
} }
static void static void