From: Nicolas Williams <nico@cryptonector.com>
Date: Fri, 26 Apr 2013 19:37:01 +0000 (-0500)
Subject: Don't use expired TGTs in TGS-REQs
X-Git-Tag: krb5-1.12-alpha1~201
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9977eb769b9def8fbbf289f7eac3938c863fa2ef;p=thirdparty%2Fkrb5.git

Don't use expired TGTs in TGS-REQs

ticket: 6948
---

diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 23c0a10838..8994527097 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -57,20 +57,14 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
 
     memset(mcreds, 0, sizeof(krb5_creds));
     mcreds->magic = KV5M_CREDS;
-    if (in_creds->times.endtime != 0) {
+    if (in_creds->times.endtime != 0)
         mcreds->times.endtime = in_creds->times.endtime;
-    } else {
-        krb5_error_code retval;
-        retval = krb5_timeofday(context, &mcreds->times.endtime);
-        if (retval != 0) return retval;
-    }
     mcreds->keyblock = in_creds->keyblock;
     mcreds->authdata = in_creds->authdata;
     mcreds->server = in_creds->server;
     mcreds->client = in_creds->client;
 
-    *fields = KRB5_TC_MATCH_TIMES /*XXX |KRB5_TC_MATCH_SKEY_TYPE */
-        | KRB5_TC_MATCH_AUTHDATA
+    *fields = KRB5_TC_MATCH_AUTHDATA /*XXX |KRB5_TC_MATCH_SKEY_TYPE */
         | KRB5_TC_SUPPORTED_KTYPES;
     if (mcreds->keyblock.enctype) {
         krb5_enctype *ktypes;
@@ -236,6 +230,14 @@ cache_get(krb5_context context, krb5_ccache ccache, krb5_flags flags,
 
     *out_creds = NULL;
 
+    if (in_creds->times.endtime == 0) {
+        code = krb5_timeofday(context, &in_creds->times.endtime);
+        if (code != 0)
+            return code;
+    }
+
+    flags |= KRB5_TC_MATCH_TIMES;
+
     creds = malloc(sizeof(*creds));
     if (creds == NULL)
         return ENOMEM;