/* Helper function for kssl_validate_times().
** We need context->clockskew, but krb5_context is an opaque struct.
** So we try to sneek the clockskew out through the replay cache.
** If that fails just return a likely default (300 seconds).
*/
static krb5_deltat
get_rc_clockskew(krb5_context context)
{
krb5_rcache rc;
krb5_deltat clockskew;
if (krb5_rc_default(context, &rc))
return KSSL_CLOCKSKEW;
if (krb5_rc_initialize(context, rc, 0))
return KSSL_CLOCKSKEW;
if (krb5_rc_get_lifespan(context, rc, &clockskew)) {
clockskew = KSSL_CLOCKSKEW;
}
(void)krb5_rc_destroy(context, rc);
return clockskew;
}
/*
* Serialize krb5_rcache.
*/
static krb5_error_code
ser_rcache_test(krb5_context kcontext, int verbose)
{
krb5_error_code kret;
char rcname[128];
krb5_rcache rcache;
snprintf(rcname, sizeof(rcname), "dfl:temp_rc_%d", (int) getpid());
if (!(kret = krb5_rc_resolve_full(kcontext, &rcache, rcname)) &&
!(kret = ser_data(verbose, "> Resolved FILE rcache",
(krb5_pointer) rcache, KV5M_RCACHE)) &&
!(kret = krb5_rc_initialize(kcontext, rcache, 3600*24)) &&
!(kret = ser_data(verbose, "> Initialized FILE rcache",
(krb5_pointer) rcache, KV5M_RCACHE)) &&
!(kret = krb5_rc_destroy(kcontext, rcache))) {
if (verbose)
printf("* rcache test succeeded\n");
}
if (kret)
printf("* krb5_rcache test failed\n");
return(kret);
}
static krb5_error_code
krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
{
struct dfl_data *t = (struct dfl_data *)id->data;
#ifdef NOIOSTUFF
unsigned int i;
struct authlist **q;
struct authlist **qt;
struct authlist *r;
struct authlist *rt;
krb5_int32 now;
if (krb5_timestamp(context, &now))
now = 0;
for (q = &t->a; *q; q = qt) {
qt = &(*q)->na;
if (alive(now, &(*q)->rep, t->lifespan) == CMP_EXPIRED) {
free((*q)->rep.client);
free((*q)->rep.server);
if ((*q)->rep.msghash)
free((*q)->rep.msghash);
free(*q);
*q = *qt; /* why doesn't this feel right? */
}
}
for (i = 0; i < t->hsize; i++)
t->h[i] = (struct authlist *) 0;
for (r = t->a; r; r = r->na) {
i = hash(&r->rep, t->hsize);
rt = t->h[i];
t->h[i] = r;
r->nh = rt;
}
return 0;
#else
struct authlist *q;
char *name;
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
if (! t->recovering) {
name = t->name;
t->name = 0; /* Clear name so it isn't freed */
(void) krb5_rc_dfl_close_no_free(context, id);
retval = krb5_rc_dfl_resolve(context, id, name);
free(name);
if (retval)
return retval;
retval = krb5_rc_dfl_recover_locked(context, id);
if (retval)
return retval;
t = (struct dfl_data *)id->data; /* point to recovered cache */
}
retval = krb5_rc_resolve_type(context, &tmp, "dfl");
if (retval)
return retval;
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
retval = krb5_rc_initialize(context, tmp, lifespan);
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
if (krb5_rc_io_store(context, (struct dfl_data *)tmp->data, &q->rep)) {
retval = KRB5_RC_IO;
goto cleanup;
}
}
/* NOTE: We set retval in case we have an error */
retval = KRB5_RC_IO;
if (krb5_rc_io_sync(context, &((struct dfl_data *)tmp->data)->d))
goto cleanup;
if (krb5_rc_io_sync(context, &t->d))
goto cleanup;
if (krb5_rc_io_move(context, &t->d, &((struct dfl_data *)tmp->data)->d))
goto cleanup;
retval = 0;
cleanup:
(void) krb5_rc_dfl_close(context, tmp);
return retval;
#endif
}
