------------------------------------------------------------------------
r24120 | ghudson | 2010-06-08 12:14:24 -0400 (Tue, 08 Jun 2010) | 12 lines
ticket: 6739
target_version: 1.8.2
tags: pullup
Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires. In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.
ticket: 6739
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24130
dc483132-0cff-0310-8789-
dd5450dbe970
{
krb5_gss_ctx_id_rec *ctx;
krb5_error_code code;
- krb5_timestamp now;
krb5_context context;
output_message_buffer->length = 0;
}
context = ctx->k5_context;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
-
switch (ctx->proto)
{
case 0:
*conf_state = conf_req_flag;
*minor_status = 0;
- return((ctx->krb_times.endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
}
{
krb5_gss_ctx_id_rec *ctx;
krb5_error_code code;
- krb5_timestamp now;
krb5_context context;
if (qop_req != 0) {
return GSS_S_NO_CONTEXT;
}
- context = ctx->k5_context;
- code = krb5_timeofday(context, &now);
- if (code != 0) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return GSS_S_FAILURE;
- }
-
if (conf_req_flag && kg_integ_only_iov(iov, iov_count)) {
/* may be more sensible to return an error here */
conf_req_flag = FALSE;
}
+ context = ctx->k5_context;
switch (ctx->proto) {
case 0:
code = make_seal_token_v1_iov(context, ctx, conf_req_flag,
*minor_status = 0;
- return (ctx->krb_times.endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
+ return GSS_S_COMPLETE;
}
#define INIT_IOV_DATA(_iov) do { (_iov)->buffer.value = NULL; \
krb5_checksum md5cksum;
krb5_data plaind;
char *data_ptr;
- krb5_timestamp now;
unsigned char *plain;
unsigned int cksum_len = 0;
size_t plainlen;
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- if (now > ctx->krb_times.endtime) {
- *minor_status = 0;
- return(GSS_S_CONTEXT_EXPIRED);
- }
-
/* do sequencing checks */
if ((ctx->initiate && direction != 0xff) ||
int signalg;
krb5_checksum cksum;
krb5_checksum md5cksum;
- krb5_timestamp now;
size_t cksum_len = 0;
size_t conflen = 0;
int direction;
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
- code = krb5_timeofday(context, &now);
- if (code != 0) {
- *minor_status = code;
- retval = GSS_S_FAILURE;
- goto cleanup;
- }
-
- if (now > ctx->krb_times.endtime) {
- *minor_status = 0;
- retval = GSS_S_CONTEXT_EXPIRED;
- goto cleanup;
- }
-
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
projects / krb5.git / commitdiff