commit a9bd3c6e50 ("Fix racy file ccache
corruption in cred_delete()") implemented krb5_cc_remove_cred() for
"FILE" ccaches by overwriting the removed credential endtime value
with zero (Unix Epoch). However, it did not modify fcc_get_next()
to filter out these deleted entries. As a result, invalid credentials
can be returned from the FILE ccache where endtime < starttime.
RFC4120 requires endtime >= starttime for all tickets.
MIT Kerberos since d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5
("Implement krb5_cc_remove_cred for remaining types") modifies a
removed cred by setting
endtime = 0
authtime = -1
and then filters out removed creds from the fcc_next_cred() results.
In 2013 Heimdal broke interop with MIT processes that share the
FILE ccache by implementing remove by setting "endtime = 0" and
now MIT has broken interop with the Heimdal implementation of
fcc_remove_cred() by checking for both "endtime = 0" and "authtime = -1".
This change filters results from fcc_get_next() when the "endtime == 0"
which is acceptable because a KDC is not permitted to return a
ticket with an endtime == 0.
68dbf1ba10