svn rev #24120: trunk/src/lib/gssapi/krb5/
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Jun 8 12:14:24 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24120
Commit By: ghudson
Log Message:
ticket: 6739
target_version: 1.8.2
tags: pullup
Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires. In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.
Changed Files:
U trunk/src/lib/gssapi/krb5/k5unsealiov.c
Modified: trunk/src/lib/gssapi/krb5/k5unsealiov.c
===================================================================
--- trunk/src/lib/gssapi/krb5/k5unsealiov.c 2010-06-07 18:28:05 UTC (rev 24119)
+++ trunk/src/lib/gssapi/krb5/k5unsealiov.c 2010-06-08 16:14:24 UTC (rev 24120)
@@ -52,7 +52,6 @@
int signalg;
krb5_checksum cksum;
krb5_checksum md5cksum;
- krb5_timestamp now;
size_t cksum_len = 0;
size_t conflen = 0;
int direction;
@@ -280,19 +279,6 @@
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
- code = krb5_timeofday(context, &now);
- if (code != 0) {
- *minor_status = code;
- retval = GSS_S_FAILURE;
- goto cleanup;
- }
-
- if (now > ctx->krb_times.endtime) {
- *minor_status = 0;
- retval = GSS_S_CONTEXT_EXPIRED;
- goto cleanup;
- }
-
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
More information about the cvs-krb5
mailing list