home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Wed, 18 Mar 2015 12:20:14 -0400 From: Greg Hudson <ghudson@mit.edu> Message-Id: <201503181620.t2IGKEeQ000942@drugstore.mit.edu> To: cvs-krb5@mit.edu Reply-To: krbdev@mit.edu MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cvs-krb5-bounces@mit.edu https://github.com/krb5/krb5/commit/3d9de684ea933c4887a7aebabc71287cbf5a3f3c commit 3d9de684ea933c4887a7aebabc71287cbf5a3f3c Author: Greg Hudson <ghudson@mit.edu> Date: Tue Mar 17 14:07:38 2015 -0400 Fix renewable ticket lifetimes Commit b0661f9176f5eb2644ba459e1b1e87d3dd502174 removed the starttime hack in the EncTicketPart decoder. Take this into account when computing the old lifetime of a ticket we are renewing. Without this fix, we compute an old lifetime equal to the ticket end time, add that to the current KDC time, and issue a ticket with a negative end time due to wraparound. Add a simple test to t_renew.py to detect this by making sure that a renewed ticket is usable. This bug appeared only on master and not as part of any release, so there is no associated ticket. src/kdc/do_tgs_req.c | 5 ++++- src/tests/t_renew.py | 3 +++ 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index a40654f..fa88623 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -461,6 +461,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } if (isflagset(request->kdc_options, KDC_OPT_RENEW)) { + krb5_timestamp old_starttime; krb5_deltat old_life; assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0); @@ -470,7 +471,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, enc_tkt_reply = *(header_ticket->enc_part2); enc_tkt_reply.authorization_data = NULL; - old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; + old_starttime = enc_tkt_reply.times.starttime ? + enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime; + old_life = enc_tkt_reply.times.endtime - old_starttime; enc_tkt_reply.times.starttime = kdc_time; enc_tkt_reply.times.endtime = diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py index cb32d1a..a5f0d4b 100644 --- a/src/tests/t_renew.py +++ b/src/tests/t_renew.py @@ -27,6 +27,9 @@ realm.kinit(realm.user_princ, flags=['-R']) realm.kinit(realm.user_princ, flags=['-R']) realm.klist(realm.user_princ) +# Make sure we can use a renewed ticket. +realm.run([kvno, realm.user_princ]) + # Make sure we can't renew non-renewable tickets. test('non-renewable', '1h', '1h', False) out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1) _______________________________________________ cvs-krb5 mailing list cvs-krb5@mit.edu https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |