[28835] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Fix renewable ticket lifetimes

daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Mar 18 12:20:20 2015

Date: Wed, 18 Mar 2015 12:20:14 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201503181620.t2IGKEeQ000942@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/3d9de684ea933c4887a7aebabc71287cbf5a3f3c
commit 3d9de684ea933c4887a7aebabc71287cbf5a3f3c
Author: Greg Hudson <ghudson@mit.edu>
Date:   Tue Mar 17 14:07:38 2015 -0400

    Fix renewable ticket lifetimes
    
    Commit b0661f9176f5eb2644ba459e1b1e87d3dd502174 removed the starttime
    hack in the EncTicketPart decoder.  Take this into account when
    computing the old lifetime of a ticket we are renewing.  Without this
    fix, we compute an old lifetime equal to the ticket end time, add that
    to the current KDC time, and issue a ticket with a negative end time
    due to wraparound.  Add a simple test to t_renew.py to detect this by
    making sure that a renewed ticket is usable.
    
    This bug appeared only on master and not as part of any release, so
    there is no associated ticket.

 src/kdc/do_tgs_req.c |    5 ++++-
 src/tests/t_renew.py |    3 +++
 2 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index a40654f..fa88623 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -461,6 +461,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     }
 
     if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
+        krb5_timestamp old_starttime;
         krb5_deltat old_life;
 
         assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
@@ -470,7 +471,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
         enc_tkt_reply = *(header_ticket->enc_part2);
         enc_tkt_reply.authorization_data = NULL;
 
-        old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
+        old_starttime = enc_tkt_reply.times.starttime ?
+            enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime;
+        old_life = enc_tkt_reply.times.endtime - old_starttime;
 
         enc_tkt_reply.times.starttime = kdc_time;
         enc_tkt_reply.times.endtime =
diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py
index cb32d1a..a5f0d4b 100644
--- a/src/tests/t_renew.py
+++ b/src/tests/t_renew.py
@@ -27,6 +27,9 @@ realm.kinit(realm.user_princ, flags=['-R'])
 realm.kinit(realm.user_princ, flags=['-R'])
 realm.klist(realm.user_princ)
 
+# Make sure we can use a renewed ticket.
+realm.run([kvno, realm.user_princ])
+
 # Make sure we can't renew non-renewable tickets.
 test('non-renewable', '1h', '1h', False)
 out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post