Pull in keyring expiration from RT#7769krb5-1.11.3-33.fc20

- pull in fix to set expiration times on keyrings used for storing keyring credential caches (RT#7769, #1031724)
author: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-11-18 17:47:36 -0500
committer: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-11-18 18:02:38 -0500
commit: 9488d7d5cc396c2ab42cd144fe5e4139ef59cadb (patch)
tree: f82f706a393d72814ed6a59043a77e2e8b6a9480 /krb5-master-keyring-expiration.patch
parent: cf42e92cc6d7dfacb04b5d2378f59262c5bb3b2e (diff)
download: krb5-9488d7d5cc396c2ab42cd144fe5e4139ef59cadb.tar.gz
krb5-9488d7d5cc396c2ab42cd144fe5e4139ef59cadb.tar.xz
krb5-9488d7d5cc396c2ab42cd144fe5e4139ef59cadb.zip
1 files changed, 127 insertions, 0 deletions
diff --git a/krb5-master-keyring-expiration.patch b/krb5-master-keyring-expiration.patch
new file mode 100644
index 0000000..2c58cb0
--- /dev/null
+++ b/krb5-master-keyring-expiration.patch
@@ -0,0 +1,127 @@
+commit 29e60c5b7ac0980606971afc6fd6028bcf0c7f0f
+Author: Simo Sorce <simo@redhat.com>
+Date:   Fri Nov 15 16:36:05 2013 -0500
+
+    Set expiration time on keys and keyrings
+    
+    By setting the timeout based on the credetial's timeout we let the
+    system automatically cleanup expired credentials.
+    
+    [ghudson@mit.edu: simplified code slightly]
+    
+    ticket: 7769 (new)
+    target_version: 1.12
+    tags: pullup
+
+diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
+index 2192fa5..1a0f1df 100644
+--- a/src/lib/krb5/ccache/cc_keyring.c
++++ b/src/lib/krb5/ccache/cc_keyring.c
+@@ -818,21 +818,68 @@ cleanup:
+ 
+ static krb5_error_code
+ add_cred_key(const char *name, const void *payload, size_t plen,
+-             key_serial_t cache_id, krb5_boolean legacy_type)
++             key_serial_t cache_id, krb5_boolean legacy_type,
++             key_serial_t *key_out)
+ {
+     key_serial_t key;
+ 
++    *key_out = -1;
+     if (!legacy_type) {
+         /* Try the preferred cred key type; fall back if no kernel support. */
+         key = add_key(KRCC_CRED_KEY_TYPE, name, payload, plen, cache_id);
+-        if (key != -1)
++        if (key != -1) {
++            *key_out = key;
+             return 0;
+-        else if (errno != EINVAL && errno != ENODEV)
++        } else if (errno != EINVAL && errno != ENODEV) {
+             return errno;
++        }
+     }
+     /* Use the user key type. */
+     key = add_key(KRCC_KEY_TYPE_USER, name, payload, plen, cache_id);
+-    return (key == -1) ? errno : 0;
++    if (key == -1)
++        return errno;
++    *key_out = key;
++    return 0;
++}
++
++static void
++update_keyring_expiration(krb5_context context, krb5_ccache id)
++{
++    krb5_krcc_data *d = (krb5_krcc_data *)id->data;
++    krb5_cc_cursor cursor;
++    krb5_creds creds;
++    krb5_timestamp now, endtime = 0;
++    unsigned int timeout;
++
++    /*
++     * We have no way to know what is the actual timeout set on the keyring.
++     * We also cannot keep track of it in a local variable as another process
++     * can always modify the keyring independently, so just always enumerate
++     * all keys and find out the highest endtime time.
++     */
++
++    /* Find the maximum endtime of all creds in the cache. */
++    if (krb5_krcc_start_seq_get(context, id, &cursor) != 0)
++        return;
++    for (;;) {
++        if (krb5_krcc_next_cred(context, id, &cursor, &creds) != 0)
++            break;
++        if (creds.times.endtime > endtime)
++            endtime = creds.times.endtime;
++        krb5_free_cred_contents(context, &creds);
++    }
++    (void)krb5_krcc_end_seq_get(context, id, &cursor);
++
++    if (endtime == 0)        /* No creds with end times */
++        return;
++
++    if (krb5_timeofday(context, &now) != 0)
++        return;
++
++    /* Setting the timeout to zero would reset the timeout, so we set it to one
++     * second instead if creds are already expired. */
++    timeout = (endtime > now) ? endtime - now : 1;
++    (void)keyctl_set_timeout(d->cache_id, timeout);
+ }
+ 
+ /*
+@@ -1497,6 +1544,8 @@ krb5_krcc_store(krb5_context context, krb5_ccache id, krb5_creds * creds)
+     char   *payload = NULL;
+     unsigned int payloadlen;
+     char   *keyname = NULL;
++    key_serial_t cred_key;
++    krb5_timestamp now;
+ 
+     DEBUG_PRINT(("krb5_krcc_store: entered\n"));
+ 
+@@ -1523,12 +1572,24 @@ krb5_krcc_store(krb5_context context, krb5_ccache id, krb5_creds * creds)
+     DEBUG_PRINT(("krb5_krcc_store: adding new key '%s' to keyring %d\n",
+                  keyname, d->cache_id));
+     kret = add_cred_key(keyname, payload, payloadlen, d->cache_id,
+-                        d->is_legacy_type);
++                        d->is_legacy_type, &cred_key);
+     if (kret)
+         goto errout;
+ 
+     krb5_krcc_update_change_time(d);
+ 
++    /* Set appropriate timeouts on cache keys. */
++    kret = krb5_timeofday(context, &now);
++    if (kret)
++        goto errout;
++
++    if (creds->times.endtime > now)
++        (void)keyctl_set_timeout(cred_key, creds->times.endtime - now);
++
++    update_keyring_expiration(context, id);
++
++    kret = KRB5_OK;
++
+ errout:
+     if (keyname)
+         krb5_free_unparsed_name(context, keyname);
author	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-11-18 17:47:36 -0500
committer	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-11-18 18:02:38 -0500
commit	9488d7d5cc396c2ab42cd144fe5e4139ef59cadb (patch)
tree	f82f706a393d72814ed6a59043a77e2e8b6a9480 /krb5-master-keyring-expiration.patch
parent	cf42e92cc6d7dfacb04b5d2378f59262c5bb3b2e (diff)
download	krb5-9488d7d5cc396c2ab42cd144fe5e4139ef59cadb.tar.gz krb5-9488d7d5cc396c2ab42cd144fe5e4139ef59cadb.tar.xz krb5-9488d7d5cc396c2ab42cd144fe5e4139ef59cadb.zip