diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-06-08 16:26:23 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-06-08 16:26:23 +0000 |
commit | c38c2428d55cc3fa5440907e42d15e9a2e882084 (patch) | |
tree | d542f77bf034ea6926d021c20a08beb2299e73b0 /src/lib/gssapi/krb5/k5seal.c | |
parent | 8cabf8a9bbc359a1627d005e4a08dfa4ca61c89e (diff) | |
download | krb5-c38c2428d55cc3fa5440907e42d15e9a2e882084.zip krb5-c38c2428d55cc3fa5440907e42d15e9a2e882084.tar.gz krb5-c38c2428d55cc3fa5440907e42d15e9a2e882084.tar.bz2 |
Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires. In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.
(This is a continuation of r24120, which should have contained the
changes to all four files.)
ticket: 6739
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24121 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi/krb5/k5seal.c')
-rw-r--r-- | src/lib/gssapi/krb5/k5seal.c | 9 |
1 files changed, 1 insertions, 8 deletions
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 51faaaa..18c83df 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -328,7 +328,6 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, { krb5_gss_ctx_id_rec *ctx; krb5_error_code code; - krb5_timestamp now; krb5_context context; output_message_buffer->length = 0; @@ -359,12 +358,6 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, } context = ctx->k5_context; - if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - save_error_info(*minor_status, context); - return(GSS_S_FAILURE); - } - switch (ctx->proto) { case 0: @@ -396,5 +389,5 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, *conf_state = conf_req_flag; *minor_status = 0; - return((ctx->krb_times.endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); + return(GSS_S_COMPLETE); } |