Skip Menu |
 

Date: Tue, 5 Aug 2003 19:34:53 -0400
From: Cesar Garcia <Cesar.Garcia@morganstanley.com>
To: krb5-bugs@mit.edu
Cc: cesar.garcia@morganstanley.com
Subject: minor bug in lifetime logic in krb524
Can someone confirm this?

There appears to be is a minor bug in the lifetime logic in
krb524/cnv_tkt_skey.c. It would appear that the intent of the code was
to generate a kerberos 4 ticket with the same expiration time as the
kerberos 5 ticket, adjusting the starttime such that it may be earlier
than the actual starttime. If so, then the current code is only an
appro does not give you these results. I could be wrong about the
intent, the comments a somewhat unclear, but this objective would make
sense, at least to me.

I'm submitting two patches for your review.

The first patch was tested with a build of krb524d and a piece of
client code that examines the sealed portion of an AFS token using
ktc_GetToken, afsconf_GetKey, tkt_DecodeTicket on the client side to
examine the sealed part of the AFS token. The second patch was
tested with an application that acquires AFS tokens by way of 524
using the second patch attached.

Thanks.
*** cnv_tkt_skey.c.orig Tue Aug 5 19:23:21 2003
--- cnv_tkt_skey.c Tue Aug 5 19:24:32 2003
***************
*** 132,138 ****
if ((server_time + context->clockskew >= v5etkt->times.starttime)
&& (server_time - context->clockskew <= v5etkt->times.endtime)) {
lifetime = krb_time_to_life(server_time, v5etkt->times.endtime);
! v4endtime = krb_life_to_time(v5etkt->times.starttime, lifetime);
/*
* Adjust start time backwards if the lifetime value
* returned by krb_time_to_life() maps to a longer lifetime
--- 132,138 ----
if ((server_time + context->clockskew >= v5etkt->times.starttime)
&& (server_time - context->clockskew <= v5etkt->times.endtime)) {
lifetime = krb_time_to_life(server_time, v5etkt->times.endtime);
! v4endtime = krb_life_to_time(server_time, lifetime);
/*
* Adjust start time backwards if the lifetime value
* returned by krb_time_to_life() maps to a longer lifetime
*** conv_creds.c.orig Tue Aug 5 19:29:09 2003
--- conv_creds.c Tue Aug 5 19:25:30 2003
***************
*** 127,136 ****
sizeof(C_Block));

/* V4 has no concept of authtime or renew_till, so ignore them */
! v4creds->issue_date = v5creds->times.starttime;
! v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime,
v5creds->times.endtime);
! endtime = krb5int_krb_life_to_time(v5creds->times.starttime,
v4creds->lifetime);
/*
* Adjust start time backwards to deal with rounding up in
--- 127,138 ----
sizeof(C_Block));

/* V4 has no concept of authtime or renew_till, so ignore them */
! if (ret = krb5_timeofday(context, &(v4creds->issue_date)) {
! return ret;
! }
! v4creds->lifetime = krb5int_krb_time_to_life(v4creds->issue_date,
v5creds->times.endtime);
! endtime = krb5int_krb_life_to_time(v4creds->issue_date,
v4creds->lifetime);
/*
* Adjust start time backwards to deal with rounding up in
Date: Tue, 5 Aug 2003 23:09:50 -0400
From: Cesar Garcia <Cesar.Garcia@morganstanley.com>
To: Cesar Garcia <Cesar.Garcia@morganstanley.com>
Cc: krb5-bugs@mit.edu
Subject: Re: minor bug in lifetime logic in krb524
Download (untitled) / with headers
text/plain 3.9KiB
I realize I didn't not clearly explain the behavior currently
implemented in 1.3.1. The behavior of the current code is to issue
a kerberos 4 ticket whose lifetime exceeds that of the kerberos 5
ticket. The effective endtime for the derived K4 ticket will float
somewhat depending on the timing of the request - not by much, within
the limits one increment in the lifetime byte. This is because the
endtime of the K4 ticket it is not strictly bound to the endtime of
the K5 ticket.

These patches provide a stricter binding of K5 ticket endtime and K4
ticket endtime (they are equivalent). This may be insignificant and
perhaps intended.

Show quoted text
>>>>> "Cesar" == Cesar Garcia <Cesar.Garcia@morganstanley.com> writes:

Show quoted text
Cesar> Can someone confirm this?
Cesar> There appears to be is a minor bug in the lifetime logic in
Cesar> krb524/cnv_tkt_skey.c. It would appear that the intent of the code was
Cesar> to generate a kerberos 4 ticket with the same expiration time as the
Cesar> kerberos 5 ticket, adjusting the starttime such that it may be earlier
Cesar> than the actual starttime. If so, then the current code is only an
Cesar> appro does not give you these results. I could be wrong about the
Cesar> intent, the comments a somewhat unclear, but this objective would make
Cesar> sense, at least to me.

Show quoted text
Cesar> I'm submitting two patches for your review.

Show quoted text
Cesar> The first patch was tested with a build of krb524d and a piece of
Cesar> client code that examines the sealed portion of an AFS token using
Cesar> ktc_GetToken, afsconf_GetKey, tkt_DecodeTicket on the client side to
Cesar> examine the sealed part of the AFS token. The second patch was
Cesar> tested with an application that acquires AFS tokens by way of 524
Cesar> using the second patch attached.

Show quoted text
Cesar> Thanks.

Show quoted text
Cesar> *** cnv_tkt_skey.c.orig Tue Aug 5 19:23:21 2003
Cesar> --- cnv_tkt_skey.c Tue Aug 5 19:24:32 2003
Cesar> ***************
Cesar> *** 132,138 ****
Cesar> if ((server_time + context->clockskew >= v5etkt->times.starttime)
Cesar> && (server_time - context->clockskew <= v5etkt->times.endtime)) {
Cesar> lifetime = krb_time_to_life(server_time, v5etkt->times.endtime);
Cesar> ! v4endtime = krb_life_to_time(v5etkt->times.starttime, lifetime);
Cesar> /*
Cesar> * Adjust start time backwards if the lifetime value
Cesar> * returned by krb_time_to_life() maps to a longer lifetime
Cesar> --- 132,138 ----
Cesar> if ((server_time + context->clockskew >= v5etkt->times.starttime)
Cesar> && (server_time - context->clockskew <= v5etkt->times.endtime)) {
Cesar> lifetime = krb_time_to_life(server_time, v5etkt->times.endtime);
Cesar> ! v4endtime = krb_life_to_time(server_time, lifetime);
Cesar> /*
Cesar> * Adjust start time backwards if the lifetime value
Cesar> * returned by krb_time_to_life() maps to a longer lifetime
Cesar> *** conv_creds.c.orig Tue Aug 5 19:29:09 2003
Cesar> --- conv_creds.c Tue Aug 5 19:25:30 2003
Cesar> ***************
Cesar> *** 127,136 ****
Cesar> sizeof(C_Block));

Show quoted text
Cesar> /* V4 has no concept of authtime or renew_till, so ignore them */
Cesar> ! v4creds->issue_date = v5creds->times.starttime;
Cesar> ! v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime,
v5creds-> times.endtime);
Show quoted text
Cesar> ! endtime = krb5int_krb_life_to_time(v5creds->times.starttime,
v4creds-> lifetime);
Show quoted text
Cesar> /*
Cesar> * Adjust start time backwards to deal with rounding up in
Cesar> --- 127,138 ----
Cesar> sizeof(C_Block));

Show quoted text
Cesar> /* V4 has no concept of authtime or renew_till, so ignore them */
Cesar> ! if (ret = krb5_timeofday(context, &(v4creds->issue_date)) {
Cesar> ! return ret;
Cesar> ! }
Cesar> ! v4creds->lifetime = krb5int_krb_time_to_life(v4creds->issue_date,
v5creds-> times.endtime);
Show quoted text
Cesar> ! endtime = krb5int_krb_life_to_time(v4creds->issue_date,
v4creds-> lifetime);
Show quoted text
Cesar> /*
Cesar> * Adjust start time backwards to deal with rounding up in
From: tlyu@mit.edu
Subject: CVS Commit
Apply patch from Cesar Garcia to fix lifetime computation in 524
ticket conversion.


To generate a diff of this commit:



cvs diff -r1.134 -r1.135 krb5/src/krb524/ChangeLog
cvs diff -r1.31 -r1.32 krb5/src/krb524/cnv_tkt_skey.c
cvs diff -r5.422 -r5.423 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.2 -r5.3 krb5/src/lib/krb5/krb/conv_creds.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.122.2.8 -r1.122.2.9 krb5/src/krb524/ChangeLog
cvs diff -r1.28.2.3 -r1.28.2.4 krb5/src/krb524/cnv_tkt_skey.c
cvs diff -r5.378.2.28 -r5.378.2.29 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.2.2.1 -r5.2.2.2 krb5/src/lib/krb5/krb/conv_creds.c