From ghudson at mit.edu  Mon Jul  1 20:20:40 2024
From: ghudson at mit.edu (ghudson at mit.edu)
Date: Mon,  1 Jul 2024 20:20:40 -0400 (EDT)
Subject: krb5 commit: Adjust removed cred detection in FILE ccache
Message-ID: <20240702002040.5F927101AD6@krbdev.mit.edu>

https://github.com/krb5/krb5/commit/4c0838bb4c232866b95c9f2f72a55bf77cfc1308
commit 4c0838bb4c232866b95c9f2f72a55bf77cfc1308
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sun Jun 23 20:10:44 2024 -0400

    Adjust removed cred detection in FILE ccache
    
    In the FILE ccache, consider a cred to be removed if it has endtime 0
    and authtime non-zero, instead of specifically authtime -1.  This
    change will let us filter out normal credentials deleted by Heimdal,
    although not synthetic credentials such as config entries.
    
    ticket: 9131 (new)

 src/lib/krb5/ccache/cc_file.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index c70a28274..198152a9e 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -745,12 +745,15 @@ cleanup:
     return set_errmsg_filename(context, ret, data->filename);
 }
 
-/* Return true if cred is a removed entry (assuming that no legitimate cred
- * entries will have authtime=-1 and endtime=0). */
+/*
+ * Return true if cred is a removed entry.  We assume that any active entry
+ * with endtime=0 (such as a config entry or gssproxy encrypted credential)
+ * will also have authtime=0.
+ */
 static inline krb5_boolean
 cred_removed(krb5_creds *c)
 {
-    return c->times.endtime == 0 && c->times.authtime == -1;
+    return c->times.endtime == 0 && c->times.authtime != 0;
 }
 
 /* Get the next credential from the cache file. */

From ghudson at mit.edu  Mon Jul  1 21:29:45 2024
From: ghudson at mit.edu (ghudson at mit.edu)
Date: Mon,  1 Jul 2024 21:29:45 -0400 (EDT)
Subject: krb5 commit: Change krb5_get_credentials() endtime behavior
Message-ID: <20240702012945.B484F101AD6@krbdev.mit.edu>

https://github.com/krb5/krb5/commit/e68890329f8ab766f9b746351b5c7d2d18d8dd48
commit e68890329f8ab766f9b746351b5c7d2d18d8dd48
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Jun 27 07:25:21 2024 -0400

    Change krb5_get_credentials() endtime behavior
    
    Historically, krb5_get_credentials() uses in_creds->times.endtime both
    as the TGS request endtime and as a cache lookup criterion.  These
    uses are in conflict; setting a TGS request endtime can only serve to
    limit the maximum lifetime of the issued ticket, while a cache lookup
    endtime restricts the minimum lifetime of an acceptable cached ticket.
    The likely outcome is to never use a cached ticket, leading to poor
    performance as we add an entry to the cache for each request.
    
    Change to the Heimdal behavior of using in_creds->times.endtime only
    as the TGS request endtime.
    
    ticket: 9132 (new)

 src/include/krb5/krb5.hin    |  8 ++++----
 src/lib/krb5/krb/get_creds.c | 13 +++++--------
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 7c4fc10dd..99b637872 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -3043,10 +3043,10 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts);
  * session key type is specified in @a in_creds->keyblock.enctype, if it is
  * nonzero.
  *
- * The expiration date is specified in @a in_creds->times.endtime.
- * The KDC may return tickets with an earlier expiration date.
- * If @a in_creds->times.endtime is set to 0, the latest possible
- * expiration date will be requested.
+ * If @a in_creds->times.endtime is specified, it is used as the requested
+ * expiration date if a TGS request is made.  If @a in_creds->times.endtime is
+ * set to 0, the latest possible expiration date will be requested.  The KDC or
+ * cache may return a ticket with an earlier expiration date.
  *
  * Any returned ticket and intermediate ticket-granting tickets are stored
  * in @a ccache.
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index e986844a7..00becae96 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -53,18 +53,16 @@ construct_matching_creds(krb5_context context, krb5_flags options,
                          krb5_creds *in_creds, krb5_creds *mcreds,
                          krb5_flags *fields)
 {
+    krb5_error_code ret;
+
     if (!in_creds || !in_creds->server || !in_creds->client)
         return EINVAL;
 
     memset(mcreds, 0, sizeof(krb5_creds));
     mcreds->magic = KV5M_CREDS;
-    if (in_creds->times.endtime != 0) {
-        mcreds->times.endtime = in_creds->times.endtime;
-    } else {
-        krb5_error_code retval;
-        retval = krb5_timeofday(context, &mcreds->times.endtime);
-        if (retval != 0) return retval;
-    }
+    ret = krb5_timeofday(context, &mcreds->times.endtime);
+    if (ret)
+        return ret;
     mcreds->keyblock = in_creds->keyblock;
     mcreds->authdata = in_creds->authdata;
     mcreds->server = in_creds->server;
@@ -75,7 +73,6 @@ construct_matching_creds(krb5_context context, krb5_flags options,
         | KRB5_TC_SUPPORTED_KTYPES;
     if (mcreds->keyblock.enctype) {
         krb5_enctype *ktypes;
-        krb5_error_code ret;
         int i;
 
         *fields |= KRB5_TC_MATCH_KTYPE;