[1915] in Kerberos-V5-bugs
krb524 service can truncate ticket lifetimes
daemon@ATHENA.MIT.EDU (John Brezak)
Fri May 10 16:13:08 1996
To: krb5-bugs@MIT.EDU
Date: Fri, 10 May 1996 16:12:46 -0400
From: John Brezak <brezak@apollo.hp.com>
I ran into a problem with the conversion of ticket lifetimes between V5 and V4. Basically the
converted values should be clamped at 255 if the (end - start) value is greater than MAX_CHAR.
*** cnv_tkt_skey.c~ Mon Jul 10 11:24:36 1995
--- cnv_tkt_skey.c Fri May 10 13:35:27 1996
***************
*** 71,78 ****
/* V4 lifetime is 1 byte, in 5 minute increments */
if (v5etkt->times.starttime == 0)
v5etkt->times.starttime = v5etkt->times.authtime;
! lifetime = 0xff &
! ((v5etkt->times.endtime - v5etkt->times.authtime) / 300);
/* XXX perhaps we should use the addr of the client host if */
/* v5creds contains more than one addr. Q: Does V4 support */
--- 71,81 ----
/* V4 lifetime is 1 byte, in 5 minute increments */
if (v5etkt->times.starttime == 0)
v5etkt->times.starttime = v5etkt->times.authtime;
! lifetime = ((v5etkt->times.endtime - v5etkt->times.authtime) / 300);
! if (lifetime > 0xff)
! lifetime = 0xff;
! else
! lifetime &= 0xff;
/* XXX perhaps we should use the addr of the client host if */
/* v5creds contains more than one addr. Q: Does V4 support */
***************
*** 87,95 ****
}
if (krb524_debug)
! printf("startime = %ld, authtime = %ld, lifetime = %ld\n",
(long) v5etkt->times.starttime,
(long) v5etkt->times.authtime,
(long) lifetime);
/* XXX are there V5 flags we should map to V4 equivalents? */
--- 90,99 ----
}
if (krb524_debug)
! printf("startime = %ld, authtime = %ld, endtime = %ld, lifetime = %ld\n",
(long) v5etkt->times.starttime,
(long) v5etkt->times.authtime,
+ (long) v5etkt->times.endtime,
(long) lifetime);
/* XXX are there V5 flags we should map to V4 equivalents? */
*** conv_creds.c~ Mon Jul 10 11:24:37 1995
--- conv_creds.c Fri May 10 13:43:55 1996
***************
*** 94,103 ****
/* V4 has no concept of authtime or renew_till, so ignore them */
/* V4 lifetime is 1 byte, in 5 minute increments */
! v4creds->lifetime = 0xff &
((v5creds->times.endtime - v5creds->times.starttime) / 300);
! v4creds->issue_date = v5creds->times.starttime;
/* XXX perhaps we should use the addr of the client host if */
/* v5creds contains more than one addr. Q: Does V4 support */
/* non-INET addresses? */
--- 94,112 ----
/* V4 has no concept of authtime or renew_till, so ignore them */
/* V4 lifetime is 1 byte, in 5 minute increments */
! v4creds->lifetime =
((v5creds->times.endtime - v5creds->times.starttime) / 300);
! if (v4creds->lifetime > 0xff)
! v4creds->lifetime = 0xff;
! else
! v4creds->lifetime &= 0xff;
+ v4creds->issue_date = v5creds->times.starttime;
+ #ifdef DEBUG
+ printf("v5 start=%lu end=%lu v4 issue=%lu lifetime=%lu\n",
+ v5creds->times.starttime, v5creds->times.endtime,
+ v4creds->issue_date, v4creds->lifetime);
+ #endif
/* XXX perhaps we should use the addr of the client host if */
/* v5creds contains more than one addr. Q: Does V4 support */
/* non-INET addresses? */
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
John Brezak Internet: brezak@ch.hp.com
Hewlett Packard/Apollo Phone: (508) 436-4915
300 Apollo Drive Fax: (508) 436-5140
Chelmsford, Massachusetts, USA
