From c213a8b8fcb17eff6ba3c91e66d9b461588cb967 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 7 Mar 2016 13:35:45 +0100
Subject: [PATCH] sec-mod: do not export expired entries to cookies list op

Also combined macro to determine expired entries.
---
 src/sec-mod-auth.c    | 2 +-
 src/sec-mod-cookies.c | 4 ++++
 src/sec-mod-db.c      | 3 +--
 src/sec-mod.h         | 3 +++
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c
index 438241ab..1f49a9f3 100644
--- a/src/sec-mod-auth.c
+++ b/src/sec-mod-auth.c
@@ -384,7 +384,7 @@ int handle_secm_session_open_cmd(sec_mod_st *sec, int fd, const SecmSessionOpenM
 		return send_failed_session_open_reply(sec, fd);
 	}
 
-	if (e->time != -1 && time(0) > e->time + sec->config->cookie_timeout) {
+	if IS_CLIENT_ENTRY_EXPIRED(sec, e, time(0)) {
 		seclog(sec, LOG_ERR, "session expired; denied session for user '%s' "SESSION_STR, e->acct_info.username, e->acct_info.psid);
 		e->status = PS_AUTH_FAILED;
 		return send_failed_session_open_reply(sec, fd);
diff --git a/src/sec-mod-cookies.c b/src/sec-mod-cookies.c
index 1e225227..37d68584 100644
--- a/src/sec-mod-cookies.c
+++ b/src/sec-mod-cookies.c
@@ -48,6 +48,7 @@ void handle_secm_list_cookies_reply(void *pool, int fd, sec_mod_st *sec)
 	struct htable_iter iter;
 	CookieIntMsg *cookies;
 	int ret;
+	time_t now = time(0);
 
 	if (db == NULL) {
 		send_empty_reply(pool, fd, sec);
@@ -70,6 +71,9 @@ void handle_secm_list_cookies_reply(void *pool, int fd, sec_mod_st *sec)
 
 	t = htable_first(db, &iter);
 	while (t != NULL) {
+		if IS_CLIENT_ENTRY_EXPIRED(sec, t, now)
+			continue;
+
 		if (msg.n_cookies >= db->elems)
 			break;
 
diff --git a/src/sec-mod-db.c b/src/sec-mod-db.c
index 34253e6f..7c984d96 100644
--- a/src/sec-mod-db.c
+++ b/src/sec-mod-db.c
@@ -168,8 +168,7 @@ void cleanup_client_entries(sec_mod_st *sec)
 
 	t = htable_first(db, &iter);
 	while (t != NULL) {
-		if (t->time != -1 && (now - t->time) > (sec->config->cookie_timeout + AUTH_SLACK_TIME) && 
-		    t->in_use == 0) {
+		if IS_CLIENT_ENTRY_EXPIRED_FULL(sec, t, now, 1) {
 			htable_delval(db, &iter);
 			clean_entry(sec, t);
 		}
diff --git a/src/sec-mod.h b/src/sec-mod.h
index d37847f9..6924865a 100644
--- a/src/sec-mod.h
+++ b/src/sec-mod.h
@@ -68,6 +68,9 @@ typedef struct common_acct_info_st {
 	unsigned id;
 } common_acct_info_st;
 
+#define IS_CLIENT_ENTRY_EXPIRED_FULL(sec, e, now, clean) (e->time != -1 && (now - e->time) > (sec->config->cookie_timeout + (clean?AUTH_SLACK_TIME:0)) && e->in_use == 0)
+#define IS_CLIENT_ENTRY_EXPIRED(sec, e, now) IS_CLIENT_ENTRY_EXPIRED_FULL(sec, e, now, 0)
+
 typedef struct client_entry_st {
 	/* A unique session identifier used to distinguish sessions
 	 * prior to authentication. It is sent as cookie to the client