From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 23 Oct 2019 22:31:05 +0000 (-0400)
Subject: Simplify AS request time handling in KDC
X-Git-Tag: krb5-1.18-beta1~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F993%2Fhead;p=thirdparty%2Fkrb5.git

Simplify AS request time handling in KDC

The kdc_time and authtime fields of struct as_req_state are redundant
and can be condensed to just kdc_time.  Copying the times structure
from enc_tkt_reply to reply_encpart already sets the authtime field to
kdc_time, so there is no need to repeat that assignment.

Also remove two prototypes for functions which never existed in the
mainline KDC code.
---

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index f0798f8eaa..5da8abde14 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -172,7 +172,6 @@ struct as_req_state {
     krb5_boolean typed_e_data;
     krb5_kdc_rep reply;
     krb5_timestamp kdc_time;
-    krb5_timestamp authtime;
     krb5_keyblock session_key;
     unsigned int c_flags;
     krb5_data *req_pkt;
@@ -266,13 +265,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
     state->reply_encpart.key_exp = get_key_exp(state->client);
     state->reply_encpart.flags = state->enc_tkt_reply.flags;
     state->reply_encpart.server = state->ticket_reply.server;
-
-    /* copy the time fields EXCEPT for authtime; its location
-     *  is used for ktime
-     */
     state->reply_encpart.times = state->enc_tkt_reply.times;
-    state->reply_encpart.times.authtime = state->authtime = state->kdc_time;
-
     state->reply_encpart.caddrs = state->enc_tkt_reply.caddrs;
     state->reply_encpart.enc_padata = NULL;
 
@@ -361,7 +354,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
 
     log_as_req(kdc_context, state->local_addr, state->remote_addr,
                state->request, &state->reply, state->client, state->cname,
-               state->server, state->sname, state->authtime, 0, 0, 0);
+               state->server, state->sname, state->kdc_time, 0, 0, 0);
     did_log = 1;
 
 egress:
@@ -383,7 +376,7 @@ egress:
     if (state->status) {
         log_as_req(kdc_context, state->local_addr, state->remote_addr,
                    state->request, &state->reply, state->client,
-                   state->cname, state->server, state->sname, state->authtime,
+                   state->cname, state->server, state->sname, state->kdc_time,
                    state->status, errcode, emsg);
         did_log = 1;
     }
@@ -549,7 +542,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     errcode = krb5_timeofday(kdc_context, &state->kdc_time);
     if (errcode)
         goto errout;
-    state->authtime = state->kdc_time;
 
     if (fetch_asn1_field((unsigned char *) req_pkt->data,
                          1, 4, &encoded_req_body) != 0) {
@@ -719,7 +711,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->enc_tkt_reply.flags = get_ticket_flags(state->request->kdc_options,
                                                   state->client, state->server,
                                                   NULL);
-    state->enc_tkt_reply.times.authtime = state->authtime;
+    state->enc_tkt_reply.times.authtime = state->kdc_time;
 
     /*
      * It should be noted that local policy may affect the
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 4db51902c2..6724c46c75 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -305,20 +305,6 @@ kdc_check_transited_list (kdc_realm_t *kdc_active_realm,
                           const krb5_data *realm1,
                           const krb5_data *realm2);
 
-krb5_error_code
-audit_as_request (krb5_kdc_req *request,
-                  krb5_db_entry *client,
-                  krb5_db_entry *server,
-                  krb5_timestamp authtime,
-                  krb5_error_code errcode);
-
-krb5_error_code
-audit_tgs_request (krb5_kdc_req *request,
-                   krb5_const_principal client,
-                   krb5_db_entry *server,
-                   krb5_timestamp authtime,
-                   krb5_error_code errcode);
-
 void
 kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
                        krb5_timestamp now,