[31339] in CVS-changelog-for-Kerberos-V5
krb5 commit: Adjust removed cred detection in FILE ccache
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Mon Jul 1 20:20:47 2024
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20240702002040.5F927101AD6@krbdev.mit.edu>
Date: Mon, 1 Jul 2024 20:20:40 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/4c0838bb4c232866b95c9f2f72a55bf77cfc1308
commit 4c0838bb4c232866b95c9f2f72a55bf77cfc1308
Author: Greg Hudson <ghudson@mit.edu>
Date: Sun Jun 23 20:10:44 2024 -0400
Adjust removed cred detection in FILE ccache
In the FILE ccache, consider a cred to be removed if it has endtime 0
and authtime non-zero, instead of specifically authtime -1. This
change will let us filter out normal credentials deleted by Heimdal,
although not synthetic credentials such as config entries.
ticket: 9131 (new)
src/lib/krb5/ccache/cc_file.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index c70a28274..198152a9e 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -745,12 +745,15 @@ cleanup:
return set_errmsg_filename(context, ret, data->filename);
}
-/* Return true if cred is a removed entry (assuming that no legitimate cred
- * entries will have authtime=-1 and endtime=0). */
+/*
+ * Return true if cred is a removed entry. We assume that any active entry
+ * with endtime=0 (such as a config entry or gssproxy encrypted credential)
+ * will also have authtime=0.
+ */
static inline krb5_boolean
cred_removed(krb5_creds *c)
{
- return c->times.endtime == 0 && c->times.authtime == -1;
+ return c->times.endtime == 0 && c->times.authtime != 0;
}
/* Get the next credential from the cache file. */
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
