svn rev #24130: branches/krb5-1-8/src/lib/gssapi/krb5/
tlyu@MIT.EDU
tlyu at MIT.EDU
Thu Jun 10 17:14:27 EDT 2010
http://mv.ezproxy.com.ezproxyberklee.flo.org/fisheye/changelog/krb5/?cs=24130
Commit By: tlyu
Log Message:
ticket: 6739
version_fixed: 1.8.3
status: resolved
pull up r24120, r24121 from trunk
------------------------------------------------------------------------
r24120 | ghudson | 2010-06-08 12:14:24 -0400 (Tue, 08 Jun 2010) | 12 lines
ticket: 6739
target_version: 1.8.2
tags: pullup
Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires. In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.
Changed Files:
U branches/krb5-1-8/src/lib/gssapi/krb5/k5seal.c
U branches/krb5-1-8/src/lib/gssapi/krb5/k5sealiov.c
U branches/krb5-1-8/src/lib/gssapi/krb5/k5unseal.c
U branches/krb5-1-8/src/lib/gssapi/krb5/k5unsealiov.c
Modified: branches/krb5-1-8/src/lib/gssapi/krb5/k5seal.c
===================================================================
--- branches/krb5-1-8/src/lib/gssapi/krb5/k5seal.c 2010-06-10 18:29:35 UTC (rev 24129)
+++ branches/krb5-1-8/src/lib/gssapi/krb5/k5seal.c 2010-06-10 21:14:26 UTC (rev 24130)
@@ -328,7 +328,6 @@
{
krb5_gss_ctx_id_rec *ctx;
krb5_error_code code;
- krb5_timestamp now;
krb5_context context;
output_message_buffer->length = 0;
@@ -359,12 +358,6 @@
}
context = ctx->k5_context;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
-
switch (ctx->proto)
{
case 0:
@@ -396,5 +389,5 @@
*conf_state = conf_req_flag;
*minor_status = 0;
- return((ctx->krb_times.endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
}
Modified: branches/krb5-1-8/src/lib/gssapi/krb5/k5sealiov.c
===================================================================
--- branches/krb5-1-8/src/lib/gssapi/krb5/k5sealiov.c 2010-06-10 18:29:35 UTC (rev 24129)
+++ branches/krb5-1-8/src/lib/gssapi/krb5/k5sealiov.c 2010-06-10 21:14:26 UTC (rev 24130)
@@ -279,7 +279,6 @@
{
krb5_gss_ctx_id_rec *ctx;
krb5_error_code code;
- krb5_timestamp now;
krb5_context context;
if (qop_req != 0) {
@@ -298,19 +297,12 @@
return GSS_S_NO_CONTEXT;
}
- context = ctx->k5_context;
- code = krb5_timeofday(context, &now);
- if (code != 0) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return GSS_S_FAILURE;
- }
-
if (conf_req_flag && kg_integ_only_iov(iov, iov_count)) {
/* may be more sensible to return an error here */
conf_req_flag = FALSE;
}
+ context = ctx->k5_context;
switch (ctx->proto) {
case 0:
code = make_seal_token_v1_iov(context, ctx, conf_req_flag,
@@ -333,7 +325,7 @@
*minor_status = 0;
- return (ctx->krb_times.endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
+ return GSS_S_COMPLETE;
}
#define INIT_IOV_DATA(_iov) do { (_iov)->buffer.value = NULL; \
Modified: branches/krb5-1-8/src/lib/gssapi/krb5/k5unseal.c
===================================================================
--- branches/krb5-1-8/src/lib/gssapi/krb5/k5unseal.c 2010-06-10 18:29:35 UTC (rev 24129)
+++ branches/krb5-1-8/src/lib/gssapi/krb5/k5unseal.c 2010-06-10 21:14:26 UTC (rev 24130)
@@ -79,7 +79,6 @@
krb5_checksum md5cksum;
krb5_data plaind;
char *data_ptr;
- krb5_timestamp now;
unsigned char *plain;
unsigned int cksum_len = 0;
size_t plainlen;
@@ -441,16 +440,6 @@
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- if (now > ctx->krb_times.endtime) {
- *minor_status = 0;
- return(GSS_S_CONTEXT_EXPIRED);
- }
-
/* do sequencing checks */
if ((ctx->initiate && direction != 0xff) ||
Modified: branches/krb5-1-8/src/lib/gssapi/krb5/k5unsealiov.c
===================================================================
--- branches/krb5-1-8/src/lib/gssapi/krb5/k5unsealiov.c 2010-06-10 18:29:35 UTC (rev 24129)
+++ branches/krb5-1-8/src/lib/gssapi/krb5/k5unsealiov.c 2010-06-10 21:14:26 UTC (rev 24130)
@@ -52,7 +52,6 @@
int signalg;
krb5_checksum cksum;
krb5_checksum md5cksum;
- krb5_timestamp now;
size_t cksum_len = 0;
size_t conflen = 0;
int direction;
@@ -280,19 +279,6 @@
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
- code = krb5_timeofday(context, &now);
- if (code != 0) {
- *minor_status = code;
- retval = GSS_S_FAILURE;
- goto cleanup;
- }
-
- if (now > ctx->krb_times.endtime) {
- *minor_status = 0;
- retval = GSS_S_CONTEXT_EXPIRED;
- goto cleanup;
- }
-
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
More information about the cvs-krb5
mailing list