From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Aug 24 18:14:40 2010
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 8C12B3DF2E;
Tue, 24 Aug 2010 18:14:40 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o7OMEe0T015204;
Tue, 24 Aug 2010 18:14:40 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o7OLuLWe012566
for <krb5-bugs-incoming@PCH.mit.edu>; Tue, 24 Aug 2010 17:56:21 -0400
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU
[18.7.68.37])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o7OLteko016507
for <krb5-bugs@mit.edu>; Tue, 24 Aug 2010 17:56:21 -0400
X-AuditID: 12074425-b7cccae000005f17-96-4c743ffeaf50
Received: from mx1.redhat.com ( [209.132.183.28])
by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with
SMTP id F2.42.24343.EFF347C4; Tue, 24 Aug 2010 17:56:14 -0400 (EDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o7OLuKER008792
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Tue, 24 Aug 2010 17:56:20 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o7OLuJdQ010347
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Tue, 24 Aug 2010 17:56:20 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o7OLuJ77032306
for <krb5-bugs@mit.edu>; Tue, 24 Aug 2010 17:56:19 -0400
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o7OLuJuq032305;
Tue, 24 Aug 2010 17:56:19 -0400
Date: Tue, 24 Aug 2010 17:56:19 -0400
Message-Id: <201008242156.o7OLuJuq032305@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: key expiration computed incorrectly in libkdb_ldap
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Tue, 24 Aug 2010 18:14:39 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
System: Linux blade.bos.redhat.com 2.6.34-43.fc14.x86_64 #1 SMP Thu Jun 17 10:32:12 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
expirations weren't being computed as expected. It turns out
that neither KDB_PRINC_EXPIRE_TIME_ATTR nor KDB_PWD_EXPIRE_TIME_ATTR
is defined to 1, so the check for their bits could never succeed as
written.
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 24252)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy)
@@ -2087,7 +2087,7 @@
goto cleanup;
if (attr_present == TRUE) {
- if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) {
+ if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) {
if (expiretime < entry->expiration)
entry->expiration = expiretime;
} else {
@@ -2127,7 +2127,7 @@
if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
goto cleanup;
- if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
+ if (mask & KDB_PWD_EXPIRE_TIME_ATTR) {
if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
entry->pw_expiration = last_pw_changed + pw_max_life;
} else
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 8C12B3DF2E;
Tue, 24 Aug 2010 18:14:40 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o7OMEe0T015204;
Tue, 24 Aug 2010 18:14:40 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o7OLuLWe012566
for <krb5-bugs-incoming@PCH.mit.edu>; Tue, 24 Aug 2010 17:56:21 -0400
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU
[18.7.68.37])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o7OLteko016507
for <krb5-bugs@mit.edu>; Tue, 24 Aug 2010 17:56:21 -0400
X-AuditID: 12074425-b7cccae000005f17-96-4c743ffeaf50
Received: from mx1.redhat.com ( [209.132.183.28])
by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with
SMTP id F2.42.24343.EFF347C4; Tue, 24 Aug 2010 17:56:14 -0400 (EDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o7OLuKER008792
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Tue, 24 Aug 2010 17:56:20 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o7OLuJdQ010347
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Tue, 24 Aug 2010 17:56:20 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o7OLuJ77032306
for <krb5-bugs@mit.edu>; Tue, 24 Aug 2010 17:56:19 -0400
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o7OLuJuq032305;
Tue, 24 Aug 2010 17:56:19 -0400
Date: Tue, 24 Aug 2010 17:56:19 -0400
Message-Id: <201008242156.o7OLuJuq032305@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: key expiration computed incorrectly in libkdb_ldap
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Tue, 24 Aug 2010 18:14:39 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: key expiration computed incorrectly in libkdb_ldap
>Severity: non-critical
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: 1.8.3
>Environment:
>Originator:
>Organization:
>Confidential: no
>Synopsis: key expiration computed incorrectly in libkdb_ldap
>Severity: non-critical
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: 1.8.3
>Environment:
System: Linux blade.bos.redhat.com 2.6.34-43.fc14.x86_64 #1 SMP Thu Jun 17 10:32:12 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
Show quoted text
>Description:
Rob Crittenden noticed that, in populate_krb5_db_entry(), keyexpirations weren't being computed as expected. It turns out
that neither KDB_PRINC_EXPIRE_TIME_ATTR nor KDB_PWD_EXPIRE_TIME_ATTR
is defined to 1, so the check for their bits could never succeed as
written.
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 24252)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy)
@@ -2087,7 +2087,7 @@
goto cleanup;
if (attr_present == TRUE) {
- if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) {
+ if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) {
if (expiretime < entry->expiration)
entry->expiration = expiretime;
} else {
@@ -2127,7 +2127,7 @@
if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
goto cleanup;
- if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
+ if (mask & KDB_PWD_EXPIRE_TIME_ATTR) {
if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
entry->pw_expiration = last_pw_changed + pw_max_life;
} else