From 3bb33fa6e8171dcebb563bd1c75339b413c6a488 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <viktor@twosigma.com>
Date: Mon, 13 Apr 2015 18:39:14 -0500
Subject: [PATCH] Fix cred handle lifetime/expiration confusion

In at least two instances the krb5 cred handle expiration time was misused
as a remaining lifetime.  This is not surprising since the field name is
wrong ("lifetime" not "expiration").  This commit fixes the code, the next
commit will rename the field and change its type from OM_uint32 to time_t.
---
 lib/gssapi/krb5/acquire_cred.c | 17 ++++++++++++-----
 lib/gssapi/krb5/copy_ccache.c  | 11 +++++++++--
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c
index d51e0f0a8..c340f9482 100644
--- a/lib/gssapi/krb5/acquire_cred.c
+++ b/lib/gssapi/krb5/acquire_cred.c
@@ -41,15 +41,15 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
 			  OM_uint32 *lifetime)
 {
     krb5_error_code kret;
-    time_t exp;
+    time_t left;
 
-    kret = krb5_cc_get_lifetime(context, id, &exp);
+    kret = krb5_cc_get_lifetime(context, id, &left);
     if (kret) {
         *minor_status = kret;
         return GSS_S_FAILURE;
     }
 
-    *lifetime = exp;
+    *lifetime = left;
 
     return GSS_S_COMPLETE;
 }
@@ -99,6 +99,7 @@ static OM_uint32 acquire_initiator_cred
     krb5_keytab keytab;
     krb5_error_code kret;
     int try_get_init_creds = 0;
+    time_t now;
 
     keytab = NULL;
     ccache = NULL;
@@ -207,18 +208,24 @@ static OM_uint32 acquire_initiator_cred
     }
 
 found:
+    krb5_timeofday(context, &now);
     ret = __gsskrb5_ccache_lifetime(minor_status,
                                     context,
                                     ccache,
                                     handle->principal,
-                                    &handle->lifetime);
+                                    &left);
     if (ret != GSS_S_COMPLETE) {
         krb5_cc_close(context, ccache);
         goto end;
     }
-    kret = 0;
+    /*
+     * XXX: This is persistent state, and needs to be absolute not
+     * relative time, and so the field name is wrong!
+     */
+    handle->lifetime = now + left;
     handle->ccache = ccache;
     ret = GSS_S_COMPLETE;
+    kret = 0;
 
 end:
     if (cred.client != NULL)
diff --git a/lib/gssapi/krb5/copy_ccache.c b/lib/gssapi/krb5/copy_ccache.c
index e332d29c8..611b95ae9 100644
--- a/lib/gssapi/krb5/copy_ccache.c
+++ b/lib/gssapi/krb5/copy_ccache.c
@@ -89,6 +89,8 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
     handle->usage = 0;
 
     if (id) {
+	time_t now;
+	OM_uint32 left;
 	char *str;
 
 	handle->usage |= GSS_C_INITIATE;
@@ -116,17 +118,22 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
 	    }
 	}
 
+	krb5_timeofday(context, &now);
 	ret = __gsskrb5_ccache_lifetime(minor_status,
 					context,
 					id,
 					handle->principal,
-					&handle->lifetime);
+					&left);
 	if (ret != GSS_S_COMPLETE) {
 	    krb5_free_principal(context, handle->principal);
 	    free(handle);
 	    return ret;
 	}
-
+	/*
+	 * XXX: This is a stored value, hence an absolute time, and the field
+	 * name is misleading.
+	 */
+	handle->lifetime = now + left;
 
 	kret = krb5_cc_get_full_name(context, id, &str);
 	if (kret)