Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
From: ghudson@mit.edu
Subject: git commit
RT-Send-CC:
X-RT-Original-Encoding: iso-8859-1
Content-Length: 803


Better fix for not using expired TGTs in TGS-REQs

We want to generate a KRB5_AP_ERR_TKT_EXPIRED code when the TGT is
expired, like we would if we tried the TGT against the KCD.  To make
this work, separate the helpers for getting local and crossrealm
cached TGTs.  For a crossrealm TGT, match against the endtime, as
there could be multiple entries.  For a local TGT, find any match, but
check if it's expired.  The cache_code field is no longer needed after
this change, so get rid of it.

https://github.com/krb5/krb5/commit/bcece3a8289dcce0dc0a2bf7a35ed339ee9a98ec
Author: Greg Hudson <ghudson@mit.edu>
Commit: bcece3a8289dcce0dc0a2bf7a35ed339ee9a98ec
Branch: master
 src/lib/krb5/krb/get_creds.c |  144 ++++++++++++++++++++++++++---------------
 1 files changed, 91 insertions(+), 53 deletions(-)