From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 24 Jun 2024 00:10:44 +0000 (-0400)
Subject: Adjust removed cred detection in FILE ccache
X-Git-Tag: krb5-1.22-beta1~92
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c0838bb4c232866b95c9f2f72a55bf77cfc1308;p=thirdparty%2Fkrb5.git

Adjust removed cred detection in FILE ccache

In the FILE ccache, consider a cred to be removed if it has endtime 0
and authtime non-zero, instead of specifically authtime -1.  This
change will let us filter out normal credentials deleted by Heimdal,
although not synthetic credentials such as config entries.

ticket: 9131 (new)
---

diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index c70a282746..198152a9ec 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -745,12 +745,15 @@ cleanup:
     return set_errmsg_filename(context, ret, data->filename);
 }
 
-/* Return true if cred is a removed entry (assuming that no legitimate cred
- * entries will have authtime=-1 and endtime=0). */
+/*
+ * Return true if cred is a removed entry.  We assume that any active entry
+ * with endtime=0 (such as a config entry or gssproxy encrypted credential)
+ * will also have authtime=0.
+ */
 static inline krb5_boolean
 cred_removed(krb5_creds *c)
 {
-    return c->times.endtime == 0 && c->times.authtime == -1;
+    return c->times.endtime == 0 && c->times.authtime != 0;
 }
 
 /* Get the next credential from the cache file. */