From: Tom Yu <tlyu@mit.edu>
Date: Thu, 10 Jun 2010 21:14:26 +0000 (+0000)
Subject: pull up r24120, r24121 from trunk
X-Git-Tag: krb5-1.8.3-beta1~9
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=ceff515f891f63558afe4d2b0f5869d37f30cd69;p=krb5.git

pull up r24120, r24121 from trunk

 ------------------------------------------------------------------------
 r24120 | ghudson | 2010-06-08 12:14:24 -0400 (Tue, 08 Jun 2010) | 12 lines

 ticket: 6739
 target_version: 1.8.2
 tags: pullup

 Stop checking the current time against the context expiration time in
 the message wrap/unwrap functions in the krb5 GSS mech.  Heimdal
 doesn't do it, and it generally results in poor app behavior when a
 ticket expires.  In exchange, it doesn't provide much security benefit
 since it's not enforced across the board--for example, ssh sessions
 can persist beyond ticket expiration time since they don't use GSS to
 wrap payload data.

ticket: 6739
version_fixed: 1.8.3
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24130 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
index 51faaaa63..18c83dfad 100644
--- a/src/lib/gssapi/krb5/k5seal.c
+++ b/src/lib/gssapi/krb5/k5seal.c
@@ -328,7 +328,6 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
 {
     krb5_gss_ctx_id_rec *ctx;
     krb5_error_code code;
-    krb5_timestamp now;
     krb5_context context;
 
     output_message_buffer->length = 0;
@@ -359,12 +358,6 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
     }
 
     context = ctx->k5_context;
-    if ((code = krb5_timeofday(context, &now))) {
-        *minor_status = code;
-        save_error_info(*minor_status, context);
-        return(GSS_S_FAILURE);
-    }
-
     switch (ctx->proto)
     {
     case 0:
@@ -396,5 +389,5 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
         *conf_state = conf_req_flag;
 
     *minor_status = 0;
-    return((ctx->krb_times.endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+    return(GSS_S_COMPLETE);
 }
diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
index 9ff823e08..c15e4e744 100644
--- a/src/lib/gssapi/krb5/k5sealiov.c
+++ b/src/lib/gssapi/krb5/k5sealiov.c
@@ -279,7 +279,6 @@ kg_seal_iov(OM_uint32 *minor_status,
 {
     krb5_gss_ctx_id_rec *ctx;
     krb5_error_code code;
-    krb5_timestamp now;
     krb5_context context;
 
     if (qop_req != 0) {
@@ -298,19 +297,12 @@ kg_seal_iov(OM_uint32 *minor_status,
         return GSS_S_NO_CONTEXT;
     }
 
-    context = ctx->k5_context;
-    code = krb5_timeofday(context, &now);
-    if (code != 0) {
-        *minor_status = code;
-        save_error_info(*minor_status, context);
-        return GSS_S_FAILURE;
-    }
-
     if (conf_req_flag && kg_integ_only_iov(iov, iov_count)) {
         /* may be more sensible to return an error here */
         conf_req_flag = FALSE;
     }
 
+    context = ctx->k5_context;
     switch (ctx->proto) {
     case 0:
         code = make_seal_token_v1_iov(context, ctx, conf_req_flag,
@@ -333,7 +325,7 @@ kg_seal_iov(OM_uint32 *minor_status,
 
     *minor_status = 0;
 
-    return (ctx->krb_times.endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
+    return GSS_S_COMPLETE;
 }
 
 #define INIT_IOV_DATA(_iov)     do { (_iov)->buffer.value = NULL;       \
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index b56cd2dee..5fa52feb4 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -79,7 +79,6 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
     krb5_checksum md5cksum;
     krb5_data plaind;
     char *data_ptr;
-    krb5_timestamp now;
     unsigned char *plain;
     unsigned int cksum_len = 0;
     size_t plainlen;
@@ -441,16 +440,6 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
     if (qop_state)
         *qop_state = GSS_C_QOP_DEFAULT;
 
-    if ((code = krb5_timeofday(context, &now))) {
-        *minor_status = code;
-        return(GSS_S_FAILURE);
-    }
-
-    if (now > ctx->krb_times.endtime) {
-        *minor_status = 0;
-        return(GSS_S_CONTEXT_EXPIRED);
-    }
-
     /* do sequencing checks */
 
     if ((ctx->initiate && direction != 0xff) ||
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index a489f0d84..2be7b82ae 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -52,7 +52,6 @@ kg_unseal_v1_iov(krb5_context context,
     int signalg;
     krb5_checksum cksum;
     krb5_checksum md5cksum;
-    krb5_timestamp now;
     size_t cksum_len = 0;
     size_t conflen = 0;
     int direction;
@@ -280,19 +279,6 @@ kg_unseal_v1_iov(krb5_context context,
     if (qop_state != NULL)
         *qop_state = GSS_C_QOP_DEFAULT;
 
-    code = krb5_timeofday(context, &now);
-    if (code != 0) {
-        *minor_status = code;
-        retval = GSS_S_FAILURE;
-        goto cleanup;
-    }
-
-    if (now > ctx->krb_times.endtime) {
-        *minor_status = 0;
-        retval = GSS_S_CONTEXT_EXPIRED;
-        goto cleanup;
-    }
-
     if ((ctx->initiate && direction != 0xff) ||
         (!ctx->initiate && direction != 0)) {
         *minor_status = (OM_uint32)G_BAD_DIRECTION;