krb5 commit: Adjust removed cred detection in FILE ccache
ghudson at mit.edu
ghudson at mit.edu
Mon Jul 1 20:20:40 EDT 2024
https://github.com/krb5/krb5/commit/4c0838bb4c232866b95c9f2f72a55bf77cfc1308
commit 4c0838bb4c232866b95c9f2f72a55bf77cfc1308
Author: Greg Hudson <ghudson at mit.edu>
Date: Sun Jun 23 20:10:44 2024 -0400
Adjust removed cred detection in FILE ccache
In the FILE ccache, consider a cred to be removed if it has endtime 0
and authtime non-zero, instead of specifically authtime -1. This
change will let us filter out normal credentials deleted by Heimdal,
although not synthetic credentials such as config entries.
ticket: 9131 (new)
src/lib/krb5/ccache/cc_file.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index c70a28274..198152a9e 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -745,12 +745,15 @@ cleanup:
return set_errmsg_filename(context, ret, data->filename);
}
-/* Return true if cred is a removed entry (assuming that no legitimate cred
- * entries will have authtime=-1 and endtime=0). */
+/*
+ * Return true if cred is a removed entry. We assume that any active entry
+ * with endtime=0 (such as a config entry or gssproxy encrypted credential)
+ * will also have authtime=0.
+ */
static inline krb5_boolean
cred_removed(krb5_creds *c)
{
- return c->times.endtime == 0 && c->times.authtime == -1;
+ return c->times.endtime == 0 && c->times.authtime != 0;
}
/* Get the next credential from the cache file. */
More information about the cvs-krb5
mailing list