From c38c2428d55cc3fa5440907e42d15e9a2e882084 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 8 Jun 2010 16:26:23 +0000 Subject: [PATCH] Stop checking the current time against the context expiration time in the message wrap/unwrap functions in the krb5 GSS mech. Heimdal doesn't do it, and it generally results in poor app behavior when a ticket expires. In exchange, it doesn't provide much security benefit since it's not enforced across the board--for example, ssh sessions can persist beyond ticket expiration time since they don't use GSS to wrap payload data. (This is a continuation of r24120, which should have contained the changes to all four files.) ticket: 6739 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24121 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/k5seal.c | 9 +-------- src/lib/gssapi/krb5/k5sealiov.c | 12 ++---------- src/lib/gssapi/krb5/k5unseal.c | 11 ----------- 3 files changed, 3 insertions(+), 29 deletions(-) diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 51faaaa63..18c83dfad 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -328,7 +328,6 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, { krb5_gss_ctx_id_rec *ctx; krb5_error_code code; - krb5_timestamp now; krb5_context context; output_message_buffer->length = 0; @@ -359,12 +358,6 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, } context = ctx->k5_context; - if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - save_error_info(*minor_status, context); - return(GSS_S_FAILURE); - } - switch (ctx->proto) { case 0: @@ -396,5 +389,5 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, *conf_state = conf_req_flag; *minor_status = 0; - return((ctx->krb_times.endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c index 9ff823e08..c15e4e744 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c @@ -279,7 +279,6 @@ kg_seal_iov(OM_uint32 *minor_status, { krb5_gss_ctx_id_rec *ctx; krb5_error_code code; - krb5_timestamp now; krb5_context context; if (qop_req != 0) { @@ -298,19 +297,12 @@ kg_seal_iov(OM_uint32 *minor_status, return GSS_S_NO_CONTEXT; } - context = ctx->k5_context; - code = krb5_timeofday(context, &now); - if (code != 0) { - *minor_status = code; - save_error_info(*minor_status, context); - return GSS_S_FAILURE; - } - if (conf_req_flag && kg_integ_only_iov(iov, iov_count)) { /* may be more sensible to return an error here */ conf_req_flag = FALSE; } + context = ctx->k5_context; switch (ctx->proto) { case 0: code = make_seal_token_v1_iov(context, ctx, conf_req_flag, @@ -333,7 +325,7 @@ kg_seal_iov(OM_uint32 *minor_status, *minor_status = 0; - return (ctx->krb_times.endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE; + return GSS_S_COMPLETE; } #define INIT_IOV_DATA(_iov) do { (_iov)->buffer.value = NULL; \ diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index b56cd2dee..5fa52feb4 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -79,7 +79,6 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, krb5_checksum md5cksum; krb5_data plaind; char *data_ptr; - krb5_timestamp now; unsigned char *plain; unsigned int cksum_len = 0; size_t plainlen; @@ -441,16 +440,6 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, if (qop_state) *qop_state = GSS_C_QOP_DEFAULT; - if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - return(GSS_S_FAILURE); - } - - if (now > ctx->krb_times.endtime) { - *minor_status = 0; - return(GSS_S_CONTEXT_EXPIRED); - } - /* do sequencing checks */ if ((ctx->initiate && direction != 0xff) || -- 2.26.2