Skip Menu |
 

Subject: krb5_get_cred_from_kdc_opt() can return stale creds
CC: Mark.Phalan@Sun.COM

krb5_get_cred_from_kdc_opt() can return stale creds. See patch for fix.
Download gc_frm_kdc-2.patch
text/x-patch 1.6KiB
Index: src/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- src/lib/krb5/krb/gc_frm_kdc.c (revision 19842)
+++ src/lib/krb5/krb/gc_frm_kdc.c (working copy)
@@ -149,7 +149,9 @@
* A cross-realm TGT may be issued by some other intermediate realm's
* KDC, so we use KRB5_TC_MATCH_SRV_NAMEONLY.
*/
-#define RETR_FLAGS (KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES)
+#define RETR_FLAGS (KRB5_TC_MATCH_SRV_NAMEONLY | \
+ KRB5_TC_SUPPORTED_KTYPES | \
+ KRB5_TC_MATCH_TIMES)

/*
* Prototypes of helper functions
@@ -393,12 +395,18 @@
krb5_error_code retval;

TR_DBG(ts, "try_ccache");
+
+ if ((retval = krb5_timeofday(ts->ctx, &(tgtq->times.endtime))) != 0) {
+ return retval;
+ }
retval = krb5_cc_retrieve_cred(ts->ctx, ts->ccache, RETR_FLAGS,
tgtq, ts->nxt_cc_tgt);
if (!retval) {
shift_cc_tgts(ts);
ts->nxt_tgt = ts->cur_cc_tgt;
}
+
+ tgtq->times.endtime = 0;
TR_DBG_RET(ts, "try_ccache", retval);
return retval;
}
@@ -840,6 +848,10 @@

/* Fast path: Is it in the ccache? */
context->use_conf_ktypes = 1;
+
+ if ((retval = krb5_timeofday(context, &(tgtq.times.endtime))) != 0) {
+ goto cleanup;
+ }
retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS,
&tgtq, &cc_tgt);
if (!retval) {
@@ -1070,6 +1082,10 @@
*tgts = NULL;
}
context->use_conf_ktypes = 1;
+
+ if ((retval = krb5_timeofday(context, &(tgtq.times.endtime))) != 0) {
+ goto cleanup;
+ }
retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS,
&tgtq, &cc_tgt);
if (!retval) {