From: Greg Hudson Date: Sun, 5 Oct 2014 00:39:14 +0000 (-0400) Subject: Improve klist check for expired cache X-Git-Tag: krb5-1.14-alpha1~227 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=922f627b28f480eafc240fb4706cacf6aa7f4c14;p=thirdparty%2Fkrb5.git Improve klist check for expired cache Make klist -s succeed for a cache which contains a non-expired credential and no TGT cred. ticket: 8022 --- diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index 15981bff4f..a10451d35a 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -542,7 +542,7 @@ check_ccache(krb5_ccache cache) krb5_cc_cursor cur; krb5_creds creds; krb5_principal princ; - int exit_status = 1; + krb5_boolean found_tgt, found_current_tgt, found_current_cred; if (krb5_cc_set_flags(kcontext, cache, 0) != 0) return 1; @@ -550,10 +550,16 @@ check_ccache(krb5_ccache cache) return 1; if (krb5_cc_start_seq_get(kcontext, cache, &cur) != 0) return 1; + found_tgt = found_current_tgt = found_current_cred = FALSE; while (!(ret = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) { - if (is_local_tgt(creds.server, &princ->realm) && - creds.times.endtime > now) - exit_status = 0; + if (is_local_tgt(creds.server, &princ->realm)) { + found_tgt = TRUE; + if (creds.times.endtime > now) + found_current_tgt = TRUE; + } else if (!krb5_is_config_principal(kcontext, creds.server) && + creds.times.endtime > now) { + found_current_cred = TRUE; + } krb5_free_cred_contents(kcontext, &creds); } krb5_free_principal(kcontext, princ); @@ -563,7 +569,12 @@ check_ccache(krb5_ccache cache) return 1; if (krb5_cc_set_flags(kcontext, cache, KRB5_TC_OPENCLOSE) != 0) return 1; - return exit_status; + + /* If the cache contains at least one local TGT, require that it be + * current. Otherwise accept any current cred. */ + if (found_tgt) + return found_current_tgt ? 0 : 1; + return found_current_cred ? 0 : 1; } /* Return true if princ is the local krbtgt principal for local_realm. */