Skip Menu |
 

Subject: Year 2038 fixes
Download (untitled) / with headers
text/plain 1.6KiB
In January 2038, the Unix time value overflows signed 32-bit integers,
which will break a wide variety of krb5 operations. This problem can
already be observed by trying to set a very long expiration time for a
principal (modprinc -pwexpire "25 years" princname).

On platforms with 32-bit time_t, this problem is essentially
intractable; we would have to avoid all platform functions using time_t
and find some other way of obtaining the current time. Also, even if
krb5 continued working after 2038 on such systems, the remainder of the
operating system would not. So our solution can be predicated on 64-
bit time_t.

On platforms with 64-bit time_t, we continue to have many issues
because krb5_timestamp is fixed at 32 bits. This type appears in
numerous libkrb5 APIs and public structures, in protocols such as
kadmin and iprop, and in file formats such as the db2 KDB module.
Migrating to a 64-bit krb5_timestamp would require a huge transition.

A less difficult option is to use the sign bit of krb5_timestamp to
represent time values up to year 2106. The value -1 can remain as a
distinguished value. To do this we will need to:

* Create libkrb5 API functions to convert krb5_timestamp to time_t and
vice versa.

* Scour the code base for uses of krb5_timestamp values, and use the
conversion functions wherever they are needed.

* Make sure that negative values of krb5_timestamp can be encoded and
decoded wherever they appear in protocol and file formats.

We also need to consider places in the code which subtract one
krb5_timestamp value from another (such as when checking clock skew),
if one of the values can legitimately be negative.
From: ghudson@mit.edu
Subject: git commit

Add timestamp helper functions

Add k5-int.h helper functions to manipulate krb5_timestamp values,
avoiding undefined behavior and treating negative timestamp values as
times between 2038 and 2106. Add a doxygen comment for krb5_timestamp
indicating how third-party code should use it safely.

https://github.com/krb5/krb5/commit/58e9155060cd93b1a7557e37fbc9b077b76465c2
Author: Greg Hudson <ghudson@mit.edu>
Commit: 58e9155060cd93b1a7557e37fbc9b077b76465c2
Branch: master
src/include/k5-int.h | 31 +++++++++++++++++++++++++++++++
src/include/krb5/krb5.hin | 9 +++++++++
2 files changed, 40 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Make timestamp manipulations y2038-safe

Wherever we manipulate krb5_timestamp values using arithmetic,
comparison operations, or conversion to time_t, use the new helper
functions in k5-int.h to ensure that the operations work after y2038
and do not exhibit undefined behavior. (Relying on
implementation-defined conversion to signed values is okay as we test
that in configure.in.)

In printf format strings, use %u instead of signed types. When
exporting creds with k5_json_array_fmt(), use a long long so that
timestamps after y2038 aren't marshalled as negative numbers. When
parsing timestamps in test programs, use atoll() instead of atol() so
that positive timestamps after y2038 can be used as input.

In ksu and klist, make printtime() take a krb5_timestamp parameter to
avoid an unnecessary conversion to time_t and back.

As Leash does not use k5-int.h, use time_t values internally and
safely convert from libkrb5 timestamp values.

https://github.com/krb5/krb5/commit/a9cbbf0899f270fbb14f63ffbed1b6d542333641
Author: Greg Hudson <ghudson@mit.edu>
Commit: a9cbbf0899f270fbb14f63ffbed1b6d542333641
Branch: master
src/clients/kinit/kinit.c | 2 +-
src/clients/klist/klist.c | 22 ++++-------
src/clients/ksu/ccache.c | 22 +++--------
src/clients/ksu/ksu.h | 2 +-
src/kadmin/cli/getdate.y | 2 +-
src/kadmin/cli/kadmin.c | 5 +-
src/kadmin/dbutil/dump.c | 27 +++++++------
src/kadmin/dbutil/kdb5_mkey.c | 6 +-
src/kadmin/dbutil/tabdump.c | 2 +-
src/kadmin/testing/util/tcl_kadm5.c | 12 +++---
src/kdc/do_as_req.c | 2 +-
src/kdc/do_tgs_req.c | 6 +-
src/kdc/extern.c | 4 +-
src/kdc/fast_util.c | 4 +-
src/kdc/kdc_log.c | 14 +++---
src/kdc/kdc_util.c | 20 +++++-----
src/kdc/kdc_util.h | 2 +
src/kdc/replay.c | 2 +-
src/kdc/tgs_policy.c | 7 ++-
src/lib/gssapi/krb5/accept_sec_context.c | 8 ++-
src/lib/gssapi/krb5/acquire_cred.c | 13 ++++--
src/lib/gssapi/krb5/context_time.c | 2 +-
src/lib/gssapi/krb5/export_cred.c | 5 +-
src/lib/gssapi/krb5/iakerb.c | 4 +-
src/lib/gssapi/krb5/init_sec_context.c | 9 ++--
src/lib/gssapi/krb5/inq_context.c | 2 +-
src/lib/gssapi/krb5/inq_cred.c | 5 +-
src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +-
src/lib/kadm5/chpass_util.c | 8 +---
src/lib/kadm5/srv/server_acl.c | 5 +-
src/lib/kadm5/srv/svr_principal.c | 12 +++---
src/lib/kdb/kdb5.c | 2 +-
src/lib/krb5/asn.1/asn1_k_encode.c | 3 +-
src/lib/krb5/ccache/cc_keyring.c | 14 ++++---
src/lib/krb5/ccache/cc_memory.c | 4 +-
src/lib/krb5/ccache/cc_retr.c | 4 +-
src/lib/krb5/ccache/ccapi/stdcc_util.c | 40 ++++++++++----------
src/lib/krb5/ccache/cccursor.c | 2 +-
src/lib/krb5/keytab/kt_file.c | 6 ++-
src/lib/krb5/krb/gc_via_tkt.c | 7 ++-
src/lib/krb5/krb/get_creds.c | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 38 +++++-------------
src/lib/krb5/krb/gic_pwd.c | 4 +-
src/lib/krb5/krb/int-proto.h | 2 +-
src/lib/krb5/krb/pac.c | 2 +-
src/lib/krb5/krb/str_conv.c | 4 +-
src/lib/krb5/krb/t_kerb.c | 12 +-----
src/lib/krb5/krb/valid_times.c | 4 +-
src/lib/krb5/krb/vfy_increds.c | 2 +-
src/lib/krb5/os/timeofday.c | 2 +-
src/lib/krb5/os/toffset.c | 2 +-
src/lib/krb5/os/ustime.c | 6 +-
src/lib/krb5/rcache/rc_dfl.c | 3 +-
src/lib/krb5/rcache/t_replay.c | 8 ++--
src/plugins/kdb/db2/lockout.c | 8 ++--
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 2 +-
src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 8 ++--
src/windows/cns/tktlist.c | 10 +++--
src/windows/include/leashwin.h | 12 +++---
src/windows/leash/KrbListTickets.cpp | 12 +++---
src/windows/leash/LeashView.cpp | 22 +++++-----
src/windows/leashdll/lshfunc.c | 2 +-
src/windows/ms2mit/ms2mit.c | 2 +-
63 files changed, 232 insertions(+), 257 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Add timestamp tests

Add a test program for krb5int_validate_times() covering cases before
and across the y2038 boundary. Add a GSSAPI test program to exercise
lifetime queries, and tests using it in t_gssapi.py for ticket end
times after y2038. Add a new test script t_y2038.py which only runs
on platforms with 64-bit time_t to exercise end-user operations across
and after y2038. Add an LDAP test case to test storage of post-y2038
timestamps.

https://github.com/krb5/krb5/commit/8ca62e54e89e2fbd6a089e8ab20b4e374a486003
Author: Greg Hudson <ghudson@mit.edu>
Commit: 8ca62e54e89e2fbd6a089e8ab20b4e374a486003
Branch: master
.gitignore | 2 +
src/Makefile.in | 1 +
src/config/pre.in | 2 +
src/configure.in | 3 +
src/lib/krb5/krb/Makefile.in | 14 +++-
src/lib/krb5/krb/t_valid_times.c | 109 +++++++++++++++++++++++++++++
src/tests/Makefile.in | 1 +
src/tests/gssapi/Makefile.in | 27 ++++---
src/tests/gssapi/t_gssapi.py | 32 +++++++++
src/tests/gssapi/t_lifetime.c | 140 ++++++++++++++++++++++++++++++++++++++
src/tests/t_kdb.py | 7 ++
src/tests/t_y2038.py | 75 ++++++++++++++++++++
12 files changed, 397 insertions(+), 16 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add y2038 documentation

https://github.com/krb5/krb5/commit/85d64c43dbf7a7faa56a1999494cdfa49e8bd2c9
Author: Greg Hudson <ghudson@mit.edu>
Commit: 85d64c43dbf7a7faa56a1999494cdfa49e8bd2c9
Branch: master
doc/appdev/index.rst | 1 +
doc/appdev/y2038.rst | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix more time manipulations for y2038

Use timestamp helper functions to ensure that more operations are safe
after y2038, and display the current timestamp as unsigned in
krb5int_trace().

https://github.com/krb5/krb5/commit/a60db180211a383bd382afe729e9309acb8dcf53
Author: Greg Hudson <ghudson@mit.edu>
Commit: a60db180211a383bd382afe729e9309acb8dcf53
Branch: master
src/kadmin/server/misc.c | 2 +-
src/kdc/dispatch.c | 2 +-
src/lib/krb5/os/c_ustime.c | 8 ++++----
src/lib/krb5/os/trace.c | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix gmt_mktime for y2038

gmt_mktime() is used as a fallback when the platform does not have
timegm(). Make it work for dates in the unsigned 32-bit range, not
the signed 32-bit range.

https://github.com/krb5/krb5/commit/7e41d97e8dd39833503b74d34e9f0c905a2d4cf2
Author: Greg Hudson <ghudson@mit.edu>
Commit: 7e41d97e8dd39833503b74d34e9f0c905a2d4cf2
Branch: master
src/util/support/gmt_mktime.c | 17 ++++++++---------
1 files changed, 8 insertions(+), 9 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Suppress y2038 GSS tests when time_t is 32-bit

The GSSAPI time_t tests do not run correctly on 32-bit Solaris because
time_t conversions are involved in the "kinit -l 8500d" step.
Suppress the GSS y2038 tests when time_t is 32-bit.

https://github.com/krb5/krb5/commit/462cffcd00c12e6c96d4c045572c0e76a2686538
Author: Greg Hudson <ghudson@mit.edu>
Commit: 462cffcd00c12e6c96d4c045572c0e76a2686538
Branch: master
src/tests/gssapi/t_gssapi.py | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

Limit ticket lifetime to 2^31-1 seconds

Although timestamps above 2^31-1 are now valid, intervals exceeding
2^31-1 seconds may be treated incorrectly by comparison operations.

The initially computed interval in kdc_get_ticket_endtime() could be
negative if the requested end time is far in the future, causing the
function to yield an incorrect result. (With the new larger value of
kdc_infinity, this could specifically happen if a KDC-REQ contains a
zero till field.) Cap the interval at the maximum valid value.
Reported by Weijun Wang.

Avoid delta comparisons in favor of timestamp comparions in
krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew
checks.

Also use a y2038-safe timestamp comparison in set_request_times() when
comparing the requested renewable end time to the requested ticket end
time.

https://github.com/krb5/krb5/commit/54e58755368b58ba5894a14c1d02626da42d8003
Author: Greg Hudson <ghudson@mit.edu>
Commit: 54e58755368b58ba5894a14c1d02626da42d8003
Branch: master
src/clients/ksu/ccache.c | 2 +-
src/include/k5-int.h | 7 +++++++
src/kdc/kdc_util.c | 7 ++++++-
src/kdc/replay.c | 2 +-
src/kdc/t_replay.c | 2 +-
src/lib/krb5/krb/gc_via_tkt.c | 4 ++--
src/lib/krb5/krb/get_in_tkt.c | 6 +++---
src/lib/krb5/krb/int-proto.h | 3 ---
src/lib/krb5/krb/valid_times.c | 4 ++--
src/lib/krb5/os/timeofday.c | 2 +-
10 files changed, 24 insertions(+), 15 deletions(-)