Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP id XAA05816; Tue, 5 Aug 2003 23:09:52 -0400 (EDT)
Received: from pivsbh2.ms.com (pivsbh2.ms.com [199.89.64.104]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h7639o3G011746 for <krb5-bugs@mit.edu>; Tue, 5 Aug 2003 23:09:50 -0400 (EDT)
Received: from pivsbh2.ms.com (localhost [127.0.0.1]) by localhost.ms.com (Postfix) with SMTP id 6D048A233 for <krb5-bugs@mit.edu>; Tue,  5 Aug 2003 23:09:50 -0400 (EDT)
Received: from ny16im02.ms.com (unknown [144.14.206.243]) by pivsbh2.ms.com (internal Postfix) with ESMTP id 551D8A2BF for <krb5-bugs@mit.edu>; Tue,  5 Aug 2003 23:09:50 -0400 (EDT)
Received: from limus.ms.com (limus [144.14.15.176]) by ny16im02.ms.com (Sendmail MTA Hub) with ESMTP id h7639oT20806; Tue, 5 Aug 2003 23:09:50 -0400 (EDT)
Received: (cesarg@localhost) by limus.ms.com (8.11.6/sendmail.cf.client v1.05) id h7639o222169; Tue, 5 Aug 2003 23:09:50 -0400
X-Mailer: 21.4 (patch 12) "Portable Code" XEmacs Lucid (via feedmail 10 I); VM 7.14 under 21.4 (patch 12) "Portable Code" XEmacs Lucid
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <16176.29054.72901.466152@limus.ms.com>
Date: Tue, 5 Aug 2003 23:09:50 -0400
From: Cesar Garcia <Cesar.Garcia@morganstanley.com>
To: Cesar Garcia <Cesar.Garcia@morganstanley.com>
Cc: krb5-bugs@mit.edu
Subject: Re: minor bug in lifetime logic in krb524
In-Reply-To: <16176.16157.125079.593566@limus.ms.com>
References: <16176.16157.125079.593566@limus.ms.com>
X-RT-Original-Encoding: us-ascii
Content-Length: 4033

I realize I didn't not clearly explain the behavior currently
implemented in 1.3.1. The behavior of the current code is to issue
a kerberos 4 ticket whose lifetime exceeds that of the kerberos 5
ticket. The effective endtime for the derived K4 ticket will float
somewhat depending on the timing of the request - not by much, within
the limits one increment in the lifetime byte. This is because the
endtime of the K4 ticket it is not strictly bound to the endtime of
the K5 ticket.

These patches provide a stricter binding of K5 ticket endtime and K4
ticket endtime (they are equivalent). This may be insignificant and
perhaps intended.

>>>>> "Cesar" == Cesar Garcia <Cesar.Garcia@morganstanley.com> writes:

Cesar> Can someone confirm this?
Cesar> There appears to be is a minor bug in the lifetime logic in
Cesar> krb524/cnv_tkt_skey.c. It would appear that the intent of the code was
Cesar> to generate a kerberos 4 ticket with the same expiration time as the 
Cesar> kerberos 5 ticket, adjusting the starttime such that it may be earlier
Cesar> than the actual starttime. If so, then the current code is only an
Cesar> appro does not give you these results. I could be wrong about the
Cesar> intent, the comments a somewhat unclear, but this objective would make
Cesar> sense, at least to me.

Cesar> I'm submitting two patches for your review.

Cesar> The first patch was tested with a build of krb524d and a piece of
Cesar> client code that examines the sealed portion of an AFS token using
Cesar> ktc_GetToken, afsconf_GetKey, tkt_DecodeTicket on the client side to
Cesar> examine the sealed part of the AFS token. The second patch was
Cesar> tested with an application that acquires AFS tokens by way of 524
Cesar> using the second patch attached.

Cesar> Thanks.

Cesar> *** cnv_tkt_skey.c.orig	Tue Aug  5 19:23:21 2003
Cesar> --- cnv_tkt_skey.c	Tue Aug  5 19:24:32 2003
Cesar> ***************
Cesar> *** 132,138 ****
Cesar>        if ((server_time + context->clockskew >= v5etkt->times.starttime)
Cesar>   	 && (server_time - context->clockskew <= v5etkt->times.endtime)) {
Cesar>   	  lifetime = krb_time_to_life(server_time, v5etkt->times.endtime);
Cesar> ! 	  v4endtime = krb_life_to_time(v5etkt->times.starttime, lifetime);
Cesar>   	  /*
Cesar>   	   * Adjust start time backwards if the lifetime value
Cesar>   	   * returned by krb_time_to_life() maps to a longer lifetime
Cesar> --- 132,138 ----
Cesar>        if ((server_time + context->clockskew >= v5etkt->times.starttime)
Cesar>   	 && (server_time - context->clockskew <= v5etkt->times.endtime)) {
Cesar>   	  lifetime = krb_time_to_life(server_time, v5etkt->times.endtime);
Cesar> ! 	  v4endtime = krb_life_to_time(server_time, lifetime);
Cesar>   	  /*
Cesar>   	   * Adjust start time backwards if the lifetime value
Cesar>   	   * returned by krb_time_to_life() maps to a longer lifetime
Cesar> *** conv_creds.c.orig	Tue Aug  5 19:29:09 2003
Cesar> --- conv_creds.c	Tue Aug  5 19:25:30 2003
Cesar> ***************
Cesar> *** 127,136 ****
Cesar>   		 sizeof(C_Block));
  
Cesar>        /* V4 has no concept of authtime or renew_till, so ignore them */
Cesar> !      v4creds->issue_date = v5creds->times.starttime;
Cesar> !      v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime,
v5creds-> times.endtime);
Cesar> !      endtime = krb5int_krb_life_to_time(v5creds->times.starttime,
v4creds-> lifetime);
Cesar>        /*
Cesar>         * Adjust start time backwards to deal with rounding up in
Cesar> --- 127,138 ----
Cesar>   		 sizeof(C_Block));
  
Cesar>        /* V4 has no concept of authtime or renew_till, so ignore them */
Cesar> !      if (ret = krb5_timeofday(context, &(v4creds->issue_date)) {
Cesar> !          return ret;
Cesar> !      }
Cesar> !      v4creds->lifetime = krb5int_krb_time_to_life(v4creds->issue_date,
v5creds-> times.endtime);
Cesar> !      endtime = krb5int_krb_life_to_time(v4creds->issue_date,
v4creds-> lifetime);
Cesar>        /*
Cesar>         * Adjust start time backwards to deal with rounding up in