From 8d20888e09e0b42b5e7b67b0ff3d50de89a6016c Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@auristor.com>
Date: Mon, 17 Jun 2024 12:36:32 -0400
Subject: [PATCH] krb5: Red Hat gssproxy FILE ccache remove cred compatibility

gssproxy stores its credentials to the ccache with endtime == 0.
Therefore, it is not safe to skip ccache entries unless authtime
is non-zero as well.
---
 lib/krb5/fcache.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c
index 0e6a61244..1c32389fa 100644
--- a/lib/krb5/fcache.c
+++ b/lib/krb5/fcache.c
@@ -983,6 +983,17 @@ fcc_get_first(krb5_context context,
     return 0;
 }
 
+/*
+ * Return true if cred is a removed entry.  We assume that any active entry
+ * with endtime=0 (such as a config entry or gssproxy encrypted credential)
+ * will also have authtime=0.
+ */
+static inline krb5_boolean
+cred_removed(krb5_creds *c)
+{
+    return c->times.endtime == 0 && c->times.authtime != 0;
+}
+
 static krb5_error_code KRB5_CALLCONV
 fcc_get_next (krb5_context context,
 	      krb5_ccache id,
@@ -1011,7 +1022,7 @@ fcc_get_next (krb5_context context,
 	    break;
 	}
 
-	if (creds->times.endtime != 0)
+	if (!cred_removed(creds))
 	    break;
 
 	krb5_free_cred_contents(context, creds);