svn rev #24121: trunk/src/lib/gssapi/krb5/
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Jun 8 12:26:23 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24121
Commit By: ghudson
Log Message:
ticket: 6739
Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires. In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.
(This is a continuation of r24120, which should have contained the
changes to all four files.)
Changed Files:
U trunk/src/lib/gssapi/krb5/k5seal.c
U trunk/src/lib/gssapi/krb5/k5sealiov.c
U trunk/src/lib/gssapi/krb5/k5unseal.c
Modified: trunk/src/lib/gssapi/krb5/k5seal.c
===================================================================
--- trunk/src/lib/gssapi/krb5/k5seal.c 2010-06-08 16:14:24 UTC (rev 24120)
+++ trunk/src/lib/gssapi/krb5/k5seal.c 2010-06-08 16:26:23 UTC (rev 24121)
@@ -328,7 +328,6 @@
{
krb5_gss_ctx_id_rec *ctx;
krb5_error_code code;
- krb5_timestamp now;
krb5_context context;
output_message_buffer->length = 0;
@@ -359,12 +358,6 @@
}
context = ctx->k5_context;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
-
switch (ctx->proto)
{
case 0:
@@ -396,5 +389,5 @@
*conf_state = conf_req_flag;
*minor_status = 0;
- return((ctx->krb_times.endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
}
Modified: trunk/src/lib/gssapi/krb5/k5sealiov.c
===================================================================
--- trunk/src/lib/gssapi/krb5/k5sealiov.c 2010-06-08 16:14:24 UTC (rev 24120)
+++ trunk/src/lib/gssapi/krb5/k5sealiov.c 2010-06-08 16:26:23 UTC (rev 24121)
@@ -279,7 +279,6 @@
{
krb5_gss_ctx_id_rec *ctx;
krb5_error_code code;
- krb5_timestamp now;
krb5_context context;
if (qop_req != 0) {
@@ -298,19 +297,12 @@
return GSS_S_NO_CONTEXT;
}
- context = ctx->k5_context;
- code = krb5_timeofday(context, &now);
- if (code != 0) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return GSS_S_FAILURE;
- }
-
if (conf_req_flag && kg_integ_only_iov(iov, iov_count)) {
/* may be more sensible to return an error here */
conf_req_flag = FALSE;
}
+ context = ctx->k5_context;
switch (ctx->proto) {
case 0:
code = make_seal_token_v1_iov(context, ctx, conf_req_flag,
@@ -333,7 +325,7 @@
*minor_status = 0;
- return (ctx->krb_times.endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
+ return GSS_S_COMPLETE;
}
#define INIT_IOV_DATA(_iov) do { (_iov)->buffer.value = NULL; \
Modified: trunk/src/lib/gssapi/krb5/k5unseal.c
===================================================================
--- trunk/src/lib/gssapi/krb5/k5unseal.c 2010-06-08 16:14:24 UTC (rev 24120)
+++ trunk/src/lib/gssapi/krb5/k5unseal.c 2010-06-08 16:26:23 UTC (rev 24121)
@@ -79,7 +79,6 @@
krb5_checksum md5cksum;
krb5_data plaind;
char *data_ptr;
- krb5_timestamp now;
unsigned char *plain;
unsigned int cksum_len = 0;
size_t plainlen;
@@ -441,16 +440,6 @@
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- if (now > ctx->krb_times.endtime) {
- *minor_status = 0;
- return(GSS_S_CONTEXT_EXPIRED);
- }
-
/* do sequencing checks */
if ((ctx->initiate && direction != 0xff) ||
More information about the cvs-krb5
mailing list