From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Aug 24 18:14:40 2010 Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 8C12B3DF2E; Tue, 24 Aug 2010 18:14:40 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o7OMEe0T015204; Tue, 24 Aug 2010 18:14:40 -0400 Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o7OLuLWe012566 for ; Tue, 24 Aug 2010 17:56:21 -0400 Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU [18.7.68.37]) by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o7OLteko016507 for ; Tue, 24 Aug 2010 17:56:21 -0400 X-AuditID: 12074425-b7cccae000005f17-96-4c743ffeaf50 Received: from mx1.redhat.com ( [209.132.183.28]) by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with SMTP id F2.42.24343.EFF347C4; Tue, 24 Aug 2010 17:56:14 -0400 (EDT) Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o7OLuKER008792 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 24 Aug 2010 17:56:20 -0400 Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o7OLuJdQ010347 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 24 Aug 2010 17:56:20 -0400 Received: from blade.bos.redhat.com (blade.bos.redhat.com [127.0.0.1]) by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o7OLuJ77032306 for ; Tue, 24 Aug 2010 17:56:19 -0400 Received: (from nalin@localhost) by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o7OLuJuq032305; Tue, 24 Aug 2010 17:56:19 -0400 Date: Tue, 24 Aug 2010 17:56:19 -0400 Message-Id: <201008242156.o7OLuJuq032305@blade.bos.redhat.com> To: krb5-bugs@mit.edu Subject: key expiration computed incorrectly in libkdb_ldap From: nalin@redhat.com X-send-pr-version: 3.99 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 X-Brightmail-Tracker: AAAAAA== X-Mailman-Approved-At: Tue, 24 Aug 2010 18:14:39 -0400 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: nalin@redhat.com Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu >Submitter-Id: net >Originator: >Organization: >Confidential: no >Synopsis: key expiration computed incorrectly in libkdb_ldap >Severity: non-critical >Priority: medium >Category: krb5-kdc >Class: sw-bug >Release: 1.8.3 >Environment: System: Linux blade.bos.redhat.com 2.6.34-43.fc14.x86_64 #1 SMP Thu Jun 17 10:32:12 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: Rob Crittenden noticed that, in populate_krb5_db_entry(), key expirations weren't being computed as expected. It turns out that neither KDB_PRINC_EXPIRE_TIME_ATTR nor KDB_PWD_EXPIRE_TIME_ATTR is defined to 1, so the check for their bits could never succeed as written. Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c =================================================================== --- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 24252) +++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy) @@ -2087,7 +2087,7 @@ goto cleanup; if (attr_present == TRUE) { - if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) { + if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) { if (expiretime < entry->expiration) entry->expiration = expiretime; } else { @@ -2127,7 +2127,7 @@ if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) goto cleanup; - if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { + if (mask & KDB_PWD_EXPIRE_TIME_ATTR) { if ((last_pw_changed + pw_max_life) < entry->pw_expiration) entry->pw_expiration = last_pw_changed + pw_max_life; } else