RPCSEC_GSS: Enable expiring of credentials

 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
---
 include/linux/sunrpc/auth_gss.h |    1 +
 net/sunrpc/auth_gss/auth_gss.c  |    9 +++++++++
 2 files changed, 10 insertions(+)

Index: linux-2.6.11-rc3/include/linux/sunrpc/auth_gss.h
===================================================================
--- linux-2.6.11-rc3.orig/include/linux/sunrpc/auth_gss.h
+++ linux-2.6.11-rc3/include/linux/sunrpc/auth_gss.h
@@ -74,6 +74,7 @@ struct gss_cl_ctx {
 	struct gss_ctx		*gc_gss_ctx;
 	struct xdr_netobj	gc_wire_ctx;
 	u32			gc_win;
+	unsigned long		gc_expiry;
 	char			gc_principal[0];
 };
 
Index: linux-2.6.11-rc3/net/sunrpc/auth_gss/auth_gss.c
===================================================================
--- linux-2.6.11-rc3.orig/net/sunrpc/auth_gss/auth_gss.c
+++ linux-2.6.11-rc3/net/sunrpc/auth_gss/auth_gss.c
@@ -237,6 +237,7 @@ gss_alloc_context(const char *principal)
 	return ctx;
 }
 
+#define GSSD_MIN_TIMEOUT (60 * 60)
 static const void *
 gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct gss_api_mech *gm)
 {
@@ -250,6 +251,9 @@ gss_fill_context(const void *p, const vo
 	p = simple_get_bytes(p, end, &timeout, sizeof(timeout));
 	if (IS_ERR(p))
 		goto err;
+	if (timeout == 0)
+		timeout = GSSD_MIN_TIMEOUT;
+	ctx->gc_expiry = jiffies + (unsigned long)timeout * HZ * 3 / 4;
 	/* Sequence number window. Determines the maximum number of simultaneous requests */
 	p = simple_get_bytes(p, end, &window_size, sizeof(window_size));
 	if (IS_ERR(p))
@@ -704,6 +708,11 @@ out_err:
 static int
 gss_match(struct auth_cred *acred, struct rpc_cred *rc, int taskflags)
 {
+	struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base);
+
+	/* Don't match with creds that have expired. */
+	if (gss_cred->gc_ctx && time_after(jiffies, gss_cred->gc_ctx->gc_expiry))
+		return 0;
 	return (rc->cr_uid == acred->uid);
 }