From 24ef2c6dbf3d5d523df4c3c0c115e4d2ef4fff45 Mon Sep 17 00:00:00 2001
From: ericm <ericm>
Date: Mon, 19 Sep 2005 07:11:07 +0000
Subject: [PATCH] roundup gss credential timeout down to avoid expiration
 between accept & authorize on server, or check & encrypt rpc on client.

---
 lustre/sec/gss/gss_internal.h | 14 ++++++++++++++
 lustre/sec/gss/sec_gss.c      |  2 +-
 lustre/sec/gss/svcsec_gss.c   |  2 +-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/lustre/sec/gss/gss_internal.h b/lustre/sec/gss/gss_internal.h
index f659940..82f932d 100644
--- a/lustre/sec/gss/gss_internal.h
+++ b/lustre/sec/gss/gss_internal.h
@@ -212,6 +212,20 @@ struct gss_cred {
 /* This is too coarse. We'll let mech determine it */
 #define GSS_MAX_AUTH_PAYLOAD    (128)
 
+/* FIXME we'd better make it expire sooner than it really is, since
+ * there's chance it might get expire between the last check and
+ * encrypt rpc. but the time between check & encrypt is not so certain.
+ */
+static inline
+unsigned long gss_roundup_expire_time(__u64 expiry)
+{
+        unsigned long cur = get_seconds();
+
+        if (expiry >= cur + obd_timeout)
+                return (unsigned long) expiry - obd_timeout;
+        return (unsigned long) expiry;
+}
+
 /* gss_mech_switch.c */
 int init_kerberos_module(void);
 void cleanup_kerberos_module(void);
diff --git a/lustre/sec/gss/sec_gss.c b/lustre/sec/gss/sec_gss.c
index 33b4291..bdd6232 100644
--- a/lustre/sec/gss/sec_gss.c
+++ b/lustre/sec/gss/sec_gss.c
@@ -578,7 +578,7 @@ void gss_cred_set_ctx(struct ptlrpc_cred *cred, struct gss_cl_ctx *ctx)
                 CERROR("unable to get expire time\n");
                 ctx_expiry = 1; /* make it expired now */
         }
-        cred->pc_expire = (unsigned long) ctx_expiry;
+        cred->pc_expire = gss_roundup_expire_time(ctx_expiry);
 
         write_lock(&gss_ctx_lock);
         old = gcred->gc_ctx;
diff --git a/lustre/sec/gss/svcsec_gss.c b/lustre/sec/gss/svcsec_gss.c
index a0e0f2a..cb5d8f1 100644
--- a/lustre/sec/gss/svcsec_gss.c
+++ b/lustre/sec/gss/svcsec_gss.c
@@ -591,7 +591,7 @@ static int rsc_parse(struct cache_detail *cd,
                         kgss_mech_put(gm);
                         goto out;
                 }
-                expiry = (time_t) ((__u32) ctx_expiry);
+                expiry = (time_t) gss_roundup_expire_time(ctx_expiry);
 
                 kgss_mech_put(gm);
         }
-- 
1.8.3.1