Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id AAA06999; Thu, 4 Nov 2004 00:32:03 -0500 (EST)
Received: from pch.mit.edu (localhost [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id iA45W3Xn026077 for <krb5-send-pr@krbdev.mit.edu>; Thu, 4 Nov 2004 00:32:03 -0500 (EST)
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id iA45W1Xn026071 for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 4 Nov 2004 00:32:01 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) iA45VMMn029488;	Thu, 4 Nov 2004 00:31:22 -0500 (EST)
Received: from all-in-one.mit.edu (ALL-IN-ONE.MIT.EDU [18.18.1.71]) (authenticated bits=56) (User authenticated as raeburn@ATHENA.MIT.EDU) by outgoing.mit.edu (8.12.4/8.12.4) with ESMTP id iA45VL1V000315 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 4 Nov 2004 00:31:22 -0500 (EST)
Received: (from raeburn@localhost) by all-in-one.mit.edu (8.12.9) id iA45VLUG018796; Thu, 4 Nov 2004 00:31:21 -0500
To: krb5-bugs@mit.edu
From: Ken Raeburn <raeburn@mit.edu>
Date: Thu, 04 Nov 2004 00:31:21 -0500
Message-Id: <tx1is8mb2om.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Scanned-BY: MIMEDefang 2.42
Subject: file ccache should be held open while scanning for credentials
X-Beenthere: krb5-bugs-incoming@mit.edu
X-Mailman-Version: 2.1
Precedence: list
Sender: krb5-bugs-incoming-bounces@mit.edu
Errors-To: krb5-bugs-incoming-bounces@mit.edu
X-RT-Original-Encoding: us-ascii
Content-Length: 794

I ran "kvno" under strace, and found it opened my credential cache
file for reading (and acquired and released an advisory lock, and
closed the file) 22 times.

I think it made two passes over the credentials, once looking for the
requested service and once looking for the TGT, and opening the file
anew for each credential object read.  It also made at least a couple
passes reading out header info.  So it looks like searching for
credentials that are at the end of the file or not present, in a
ccache of n entries, is O(n) file opens and O(n^2) reads.

Looks like krb5_get_credentials or whatever should temporarily set the
ccache flag that causes the file to be kept open.

(And, of course, it's reading each sub-object with a separate read()
call, but we knew that sucked already.)

Ken